The function of corporate security within large organisations · Section HEC The Function of Corporate Security within Large Organisations: The Interrelationship between Information

The Function of Corporate Security within

Large Organisations

The Interrelationship between Information Security

and Business Strategy

Laura Georg

Thèse publiée avec le soutien des formations continues universitaires en sécurité des systèmes

d'information, Université de Genève, HEC-Genève

Publié dans la même série :

DE BLASIS, Jean-Paul (2004), Dictionnaire illustré de la sécurité des systèmes d’information, HEC-Genève, Université de Genève, octobre 2004, 312 p.

Section HEC

The Function of Corporate Security within Large Organisations:

The Interrelationship between Information Security

and Business Strategy

Thèse présentée à la Faculté des Sciences Économiques et Sociales

de l'Université de Genève

par

Laura GEORG

Pour l'obtention du grade de

Docteur ès Sciences Économique et Sociales

Mention Gestion d'entreprise

Membres du jury de thèse :

Prof. Dr. Jean-Paul DE BLASIS, Genève, Directeur de thèse Prof. Dr. Dimitri KONSTANTAS, Genève, Président Prof. Dr. Gilbert PROBST, Genève Dr. Lorenzo VALERI, Rome

Thèse n° 629 Genève, 2007

La Faculté des sciences économiques et sociales, sur préavis du jury, a autorisé l’impression de la présente thèse, sans entendre, par là, émettre aucune opinion sur les propositions qui s’y trouvent énoncées et qui n’engagent que la responsabilité de leur auteur. Genève, le 23 mars 2007 Le doyen Pierre ALLAN

Impression d’après le manuscrit de l’auteur

© Laura Georg/ Editions, Genève, Mai 2007

ISBN 978-3-033-01230-1

To curiosity

Acknowledgements

A number of people have contributed to this thesis. For their support, trust, and advice I am thoroughly thankful. They have not only helped the completion of this research work but also influenced my personal understanding of academics, information security, and business.

First of all, I would like to thank my supervisor Prof. Dr. Jean-Paul De Blasis. He gave me

the theoretical basis for my thesis and provided me with the knowledge on all for my research relevant information security issues. Throughout the research he supported me in every aspect and I hope to have earned the trust he put in me when I first arrived at the University of Geneva.

Dr. James Backhouse opened to me the research world of the London School of Economics and Political Science that gave me directions in my research and a profound understanding of academic research work.

To Dr. Lorenzo Valeri I owe constant and most constructive advice on how to manage and resolve the obstacles of a doctorate. I am very grateful for his engagement and belief in me.

For her support in the initial phase of my thesis, I would like to thank Doris Pack, MEP, who allowed me to use contacts and facilities of the European Parliament for my thesis research.

With Prof. Dr. Gilbert Probst I had most valuable discussions on all strategic questions that turned up throughout the research. Dr. Robert Coles gave me insights into the research of information security management. Dr. Jonathan Liebenau’s great academic experience and insights impressed me and influenced my research. Prof. Dr. Larry Gordon and Prof. Dr. Martin Loeb at the University of Maryland widened my academic background in the field of information security economics. Prof. Jean Bloch provided me with all information I needed on information security governance and has been a vivid discussion partner throughout my research.

I especially would like to thank my contacts in Bank A, Bank B, TelCo C and SoftCo D as

well as the interviewees in the healthcare, e-commerce and pharmaceutical sector. I had very interesting and most valuable conversations that were indispensable for my thesis’ research and gave me great insights into information security practice. In all organisations I received outstanding help and met most knowledgeable experts in their field.

For his ringing endorsement, most valuable critique, and endless patience, I would like to

thank Jakub Krawczyk. Throughout all my student years my parents Gisela & Wolfgang Georg were always there

for support and helped me through the up and downs of this journey. Thank you for giving me this opportunity.

Last but not least, I would like to thank Katja Stumpf for her oh so valuable comments when proof reading this thesis.

Executive Summary

The empirical research in this thesis demonstrates that a shift in the information security paradigm took place, in which information security turns from being a defensive to becoming a progressive, value-adding management tool. Twenty-three interviews conducted in a qualitative study of four cases in the UK, Switzerland and Germany in the banking, telecommunications and software development sectors provide empirical validation for the Internal/ External Function of Corporate Security (IFCS/EFCS) theory. The theory is based on the observation that the function of corporate security has been undergoing important changes due to new possibilities of processing, safeguarding and accessing information, constantly newly emerging risks and technologies, standards and regulations, and an increasing public attention to security issues. A consequence of these changes, the thesis argues, leads to an interrelationship between information security and business strategy.

The IFCS/EFCS theory introduces the concept of an internal function and an external function of corporate security using the conceptual framework of responsibility modelling. The internal function comprises what is understood to relate to the classical information risk management that is concerned with defending the existing assets of the organisation. Only the Basel II framework establishes a correlation between operational risk and performance in the financial service industry. The external function circumscribes the technical interface between the internal function and the organisation’s external stakeholders. Organisations use trust and reputation to attract investors and customers and create revenue, gain competitive advantage and improve their performance by marketing information security products and services to their customers. The research further shows that a revenue possibility for organisations emerges when customers perceive security to be within their own responsibility. This perception is determined by legal requirements and the customer’s knowledge, and ethical and cultural background. Different standards and expectations apply to business and retail customers that have different levels of expertise and technical capabilities as well as different security concerns. Additionally, the threat of new entrants, peer group pressure and the internalisation of assets were found to determine the business strategy in the four cases. Against prior assumption, certification was not found to create an added value for organisations. Finally, the theory provides an attribution of the three information security principles - confidentiality, integrity and availability - according to their business related function inside the organisation.

Key Words: Information security management, business strategy, strategic alignment,

boundaries of responsibility, international information security standards, IT governance, information risk assessment.

I

Table of Contents

Table of Contents ......................................................................................................................... .I

List of Figures................................................................................................................................V

List of Tables................................................................................................................................VI

List of Acronyms........................................................................................................................ VII

Introduction...................................................................................................................................1

Part I: Theoretical Aspects of Information Security ....................................................................11

Chapter 1: The Technological (R)Evolution ...............................................................................13

a) Information and Business Intelligence............................................................................14 b) Dimension of Time .........................................................................................................16 c) Going Global ...................................................................................................................17 d) Information Security within Large Organisations and Critical Industries .....................18 e) Operational Dependence: Integrating IT into Business..................................................21 f) Portable Computing Devices...........................................................................................23 Conclusion...............................................................................................................................24

Chapter 2: Information Security: A Holistic Approach ..............................................................25

a) The Principles of Information Security ...........................................................................26 i) Confidentiality, Integrity and Availability (CIA).........................................................26 ii) Additional Principles...................................................................................................28

b) Information Security Strategy..........................................................................................30 i) Formal Measures..........................................................................................................31 ii) Informal Measures.......................................................................................................36

Conclusion...............................................................................................................................41

Chapter 3: Legal Compliance and International Information Security Standards.....................43

a) The Legal Aspects of Information Security .....................................................................43 i) Sarbanes-Oxley Act (SoX) ............................................................................................44 ii) EU Legislation .............................................................................................................45 iii) Jurisdiction and Information Security ........................................................................46

b) De Facto and De Jure Standards .....................................................................................47 c) IT Governance: Enabler of Information Security ...........................................................60 Conclusion...............................................................................................................................62

Chapter 4: Risk Analysis and Risk Assessment ...........................................................................63

a) The Evaluation of Information Systems Risk..................................................................64 b) Critique of Risk Evaluation.............................................................................................66 c) Alternative Possibilities of Quantifying Risk...................................................................67 d) Management of Security Risk..........................................................................................68 e) Information Security and Operational Risk....................................................................69 f) Reputation Risk and Trust ..............................................................................................73

II

Conclusion...............................................................................................................................75

Chapter 5: The Concept of Business Strategy .............................................................................77

a) Approaches to Constructing Business Strategy ...............................................................77 i) External and Internal Shaping of Business Strategy....................................................78 ii) The Process and Content Approach ...........................................................................79

b) Business Strategy Evaluation ...........................................................................................80 i) Distinctive Competences and Value Added Chain ....................................................81 ii) Enterprise Performance and Alignment......................................................................83 iii) Reputation and Performance ......................................................................................84 iv) Competitive Advantage in Information Security Research.........................................86

Conclusion...............................................................................................................................88

Chapter 6: Theoretical Concepts: Information Security Management in the Need of Control

and Design ...................................................................................................................................91

a) The Four Generations of IS Security Development Approaches....................................91 b) The Conceptual Framework of Responsibility Modelling ..............................................93 c) Theoretical Concepts from Security Risk Management to Information Security Governance..............................................................................................................................95

i) Security Risk Planning Model .....................................................................................95 ii) Organisational Chain Framework...............................................................................96 iii) Hybrid Security Method..............................................................................................98 iv) Generally Accepted Information Security Principles (GAISP) ...................................99 v) Crime Specific Opportunity Structure......................................................................100 vi) Security Knowledge Management System .................................................................102 vii) Von Solms Frameworks: from ISM to ISG ...............................................................103 viii) Corporate Governance Task Force ISG Programme ................................................106

d) Theories of Newly Emerging Concepts .........................................................................107 i) Business Process: Information Risk Management Model .........................................107 ii) Multi-Perspective Information Assurance Strategy Framework (MPIAS) .................111

Conclusion.............................................................................................................................113

Conclusion Part I.......................................................................................................................115

Part II: Empirical Research and Analysis...................................................................................119

Chapter 7: Applied Research Methodology ..............................................................................121

a) Positivistic Philosophy ...................................................................................................121 b) A Qualitative Type of Evidence.....................................................................................124 c) Building Theory.............................................................................................................125 d) Case Study Methodology ...............................................................................................128 e) Research Method...........................................................................................................131

i) Unit of Analysis .........................................................................................................131 ii) Data Collection .........................................................................................................132 iii) Data Analysis .............................................................................................................134

Conclusion.............................................................................................................................135

Chapter 8: Case Study Analysis .................................................................................................137

a) Case Study of Bank A....................................................................................................138

III

i) Environmental Assessment of Bank A ......................................................................138 ii) Role of IT Security.....................................................................................................139 iii) Governance ...............................................................................................................142 iv) Corporate Security Functions in Bank A..................................................................144 v) Characteristics and Development of Product α ........................................................147 vi) Information Security and Measures of Business Strategy .........................................150 Conclusion ........................................................................................................................154

b) Case Study of Bank B ....................................................................................................156 i) Environment of Bank B ............................................................................................156 ii) Role of IT Security.....................................................................................................157 iii) Governance ...............................................................................................................159 iv) Organisational Approach to Information Security ...................................................162 v) Characteristics of Project χ........................................................................................164 vi) Information Security and Measures of Business Strategy .........................................164 Conclusion ........................................................................................................................166

c) Case Study of Telecommunications Company C .........................................................168 i) Environmental Assessment of the TelCo C..............................................................168 ii) Role of Information and Communication Technology (ICT) Security ....................169 iii) Governance ...............................................................................................................170 iv) Organisational Growth and Strategic Alignment of Information Security...............172 v) Characteristics and Development of Product β ........................................................174 vi) Information Security and Business Strategy..............................................................178 Conclusion ........................................................................................................................183

d) Case Study of Software Development Corporation D..................................................184 i) Environmental Assessment .......................................................................................184 ii) Role of IT Security.....................................................................................................185 iii) Governance ...............................................................................................................187 iv) Organisational Approach to Information Security ...................................................189 v) Information Security Solutions and Products...........................................................189 vi) Information Security and Business Strategy..............................................................193 Conclusion ........................................................................................................................200

e) Other Expert Interviews ................................................................................................202 i) Healthcare Sector ......................................................................................................202 ii) Pharmaceutical Sector ...............................................................................................206 iii) E-commerce ...............................................................................................................207 Conclusion ........................................................................................................................208

f) Cross-Case Analysis .......................................................................................................210 Conclusion ........................................................................................................................220

Conclusion Part II .....................................................................................................................222

Chapter 9: Discussion and Theory ............................................................................................223

a) Discussion of Findings in Conjunction with the Enfolding Literature ........................223 b) Developed Hypothesis and Theory ...............................................................................235 c) Embedding of Theory in Other Information Security Management Concepts............242 Conclusion.............................................................................................................................246

General Conclusion...................................................................................................................247

a) Overview of the Thesis ..................................................................................................247

IV

b) Contributions ................................................................................................................249 i) Theoretical Contributions.........................................................................................249 ii) Methodological Contributions..................................................................................250 iii) Practical Contributions .............................................................................................251

c) Implications of the Research Approach ........................................................................253 i) Adequacy of the Research Framework ......................................................................253 ii) Research Design Limitations.....................................................................................253

d) Areas of Further Research .............................................................................................254 Epilogue .................................................................................................................................256

References ..................................................................................................................................259

Annex.........................................................................................................................................281

Annex 1: DTI Information Classification: Protection and Control .....................................281 Annex 2: Business Lines and Beta Factors in the Standardized Approach to Calculate Operational Risk ...................................................................................................................289 Annex 3: ISO 27001 Certification Process ..........................................................................290 Annex 4: Number of ISO 27001 Certified Organisations per Country ..............................291 Annex 5: Management of IT Security....................................................................................292 Annex 6: The Communities (and Schools of Thought) Behind IS Security Approaches ...292 Annex 7: Interview Questions used in Semi-structured Interviews for Case Studies............293 Annex 8: List of Documents and Research Interviews Conducted.......................................294 Annex 9: Bank A’s approach to Information Assurance (IA) ...............................................296

V

List of Figures Figure 1: Initial Construct of the Function of Corporate Security ...............................................5

Figure 2: What drives information security expenditure? .............................................................7

Figure 3: Total Incidents Reported 1995 - 2003 .........................................................................19

Figure 4: Shain: Impacts Resulting from Information Security Breaches ...................................27

Figure 5: De Jure and De Facto Standards: Classification of Guidance .....................................49

Figure 6: Plan-Do-Check-Act Model ............................................................................................51

Figure 7: ISO/IEC 15408: Standards Influences ........................................................................54

Figure 8: Component of the COSO ERM Model.......................................................................57

Figure 9: Typical Loss Distribution for Operational Risk losses .................................................70

Figure 10: Conceptual Domain of Business Policy and Strategy.................................................83

Figure 11: Probabilities on Perceived Organisational Reputation and Organisational

Performance.........................................................................................................................86

Figure 12: An Overview of Approaches for Secure IS Development ..........................................92

Figure 13: Example of Ontology Chart for a Secure Hospital Environment..............................94

Figure 14: Framework Definition from the Organizational Chain.............................................97

Figure 15: Crime Specific Opportunity Structure .....................................................................101

Figure 16: A Structural Model of IS Security Knowledge .........................................................103

Figure 17: Posthumus/Von Solms Information Security Governance Framework ..................105

Figure 18: BPIRM: Process Model ............................................................................................108

Figure 19: BPIRM: Content Model...........................................................................................110

Figure 20: Multi-perspective information assurance strategy framework ..................................112

Figure 21: Initial Construct of the Function of Corporate Security Revisited .........................115

Figure 22: Classification of Information Security Approaches into the Interpretivistic ...........123

Figure 23: The Function of Corporate Security of Bank A.......................................................155

Figure 24: The Function of Corporate Security of Bank B .......................................................167

Figure 25: Organisation Chart of Telecommunication Company C........................................173

Figure 26: Customer Responsibility for Information Security Protection ................................176

Figure 27: Characteristics of Product β .....................................................................................177

Figure 28: Product β Customer Commitment Analysis ............................................................181

Figure 29: The Function of Corporate Security of Telecommunication Company C..............183

VI

Figure 30: The Function of Corporate Security of Software Development Corporation D.....201

Figure 31: Telematic and Health Card Scheme ........................................................................203

Figure 32: Results on the Function of Corporate Security from Expert Interviews..................209

Figure 33: Internal and External Function of Corporate Security ............................................238

Figure 34: The Role of Business and Retail Customers in the IFCS/EFCS Framework ........240

Figure 35: CIA Principles in the IFCS/EFCS Framework.......................................................241

List of Tables Table 1: Overview De-Jure Standards ..........................................................................................56

Table 2: Overview De-Facto Standards........................................................................................59

Table 3: Qualitative and Quantitative Risk Prioritization Example............................................65

Table 4: Description of Phases in the Security Risk Planning Model .........................................96

Table 5: Cross-Impact Matrix Relating BFP's to PP's.................................................................100

Table 6: Roadmap for Building Theory from Case Study Research .........................................127

Table 7: Summary Research Methodology ................................................................................135

Table 8: Cross-Case Analysis......................................................................................................219

Table 9: Summary of Case Study Findings................................................................................221

Table 10: Summary Thesis' Contributions................................................................................252

Table 11: Summary of Implications of Research Approach......................................................254

Table 12: Areas of Further Research .........................................................................................255

VII

List of Acronyms

ALE Annual Loss Expectancy

AMA Advanced Measurement Approach

BCP Business Continuity Plan

BFP Broad Functional Principles

BI Business Intelligence

BPIRM Business Process: Information Risk Management

BS British Standard

BSI Bundesamt für Sicherheit in der Informationstechnik

B2B Business-To-Business

B2C Business-To-Customer

CC Common Criteria

CCTA Central Computing and Telecommunications Agency

CEO Chief Executive Officer

CFB Commission Féderale des Banques

CIA Confidentiality, Integrity, Availability

CIGREF Club Informatique des Grandes Entreprises Françaises

CIO Chief Information Officer

CobiT Control Objectives for Information and Related Technology

COO Chief Operations Officer

COSO Committee of Sponsoring Organizations of the Treadway Commission

CR Corporate Responsibility

CRM Customer Relationship Management

CSTS Comité de Sécurité de Territoire Suisse

DPA Data Protection Act

DPI Differentiation Potential Index

DTI Department of Trade and Industry

EAL Evaluation Assurance Level

E-Com E-commerce

EFCS External Function of Corporate Security

ERM Enterprise Risk Management

VIII

ERP Enterprise Resource Planning

EU European Union

FIPS Federal Information Processing Standard

FRS Fraud, Risk, and Security

GAISP Generally Accepted Information Security Principles

GASSP Generally Accepted System Security Principles

HC Health Card

IA Information Assurance

ICT Information and Communication Technology

IDS Intrusion Detection System

IES Intelligence Économique et Stratégique

IEC International Electrotechnical Commission

IFCS Internal Function of Corporate Security

IPSec Internet Protocol Security

IS Information Systems

ISACA Information Systems Audit and Control Association

ISF Information Security Forum

ISG Information Security Governance

ISM Information Security Management

ISMS Information Security Management System

ISO International Organisation for Standardization

ISP Information Security Policy

ISS Information Systems Security

ISSA Information Systems Security Association

IT Information Technology

ITSEC Information Technology Security Evaluation Criteria

ITIL Information Technology Infrastructure Library

KPI Key Performance Indicator

MPIAS Multi-Perspective Information Assurance Strategy

NIST National Institute of Standards and Technology

OE Operational Effectiveness

OECD Organisation for Economic Co-operation and Development

OGC Office of Government Commerce

IX

OpCos Operation Companies

OpVaR Operational Value at Risk

OSE Operational Security Environment

OTP One-Time-Password

PCD Portable Computing Device

PDCA Plan-Do-Check-Act

PDA Personal Digital Assistant

PharmaCo Pharmaceutical Corporation

PP Pervasive Principles

RDR Risk Data Repository

RITE Responsibility, Integrity, Trust, and Ethicality

ROI Return on Investment

SBU Strategic Business Unit

SEC US Security and Exchange Commission

SLA Service Level Agreement

SoftCo Software Development Corporation

SoX Sarbanes-Oxley Act

STOA Scientific and Technological Options Assessment

TCSEC Trusted Computer Security Evaluation Criteria

TelCo Telecommunication Company

TOE Targets of Evaluation

TVS Technology Value Selling

UK United Kingdom

US(A) United States of America

VPN Virtual Private Network

VSM Viable System Model

VoIP Voice-over-Internet Protocol

Introduction

1

Introduction

Information technologies, developed in the past decade, have changed business significantly.

Virtually every industry, from banking and security trading to manufacturing, had to experience

an evolution towards more effective and efficient organisation, production, and trading. New

telecommunication systems (e.g. video conferences, VoIP) opened up enormous opportunities

and led to a world without geographical boundaries. Telecommunications reach virtually every

aspect of business, so that companies are increasingly dependent on computers and networks.1

New applications are created, growing more complex systems which are often too complex for

gaining a reasonable return on investment as they mean extra training for users and can cause

interferences with other programs; hence new vulnerabilities continue to appear faster without

old ones being fixed. If information technology (IT) management and security was not always of

great importance to business managers, it became a major topic due to an increasing number of

attacks and sometimes an exclusive dependence on IT technology like it is the case in e-

commerce, e-banking etc. Thus firms have to recognise and experience the dangerous sides of

this evolution. The security of information systems is often an underestimated risk, and losses

of business intelligence, in particular, have already caused great damage. A recent study shows

that fraud is a significant and growing threat: 45% of companies worldwide have fallen victim

to economic crime in the past two years. This is an eight percent increase compared to a

comparable study carried out in 2001 and 2003. In particular, there have been major increases

in the number reporting corruption & bribery, money laundering, and financial

misrepresentation. The average financial damage to companies from tangible frauds (i.e., asset

misappropriation, false pretences, and counterfeiting) is further estimated to be US$ 1.7

million.2

“‘Computer Security’ was originally the preserve of the military, whose concern was to ensure

the secrecy of information which might be helpful to an enemy. As a result, it was assumed that

the key requirements were to build strong defences around the information system, and to keep

the release of information to a minimum. It has taken some time for the commercial world to

shake off these assumptions and to develop new ones of its own”.3 Hawker makes out two

pertinent points about the understanding of security. The first is that objectives and views on 1 See Scientific and Technological Options Assessment, Development of Surveillance Technology and Risk of Abuse of Economic Information, 1999, p. 4. 2 See PricewaterhouseCoopers, Global Economic Crime Survey 2005, 2005, p. 2. 3 Hawker, A., Security and Control in Information Systems, 2000, p. 4.

Introduction

2

security change over time as the business environment and society changes. The second is that

security plays an integral role in protecting a corporation’s resources and the associated need for

controls and monitoring activities. These two premises build the foundation for this research

work. It shall be argued that the focal point of corporate security is moving away from physical

security and mere technology security towards information security. Target of attacks are

organisation’s information assets, hosting what became in the past decade for many

organisations a competitive advantage.4 Subsequently information security has changed and

inherited a new function within organisations. Cavanagh writes that “the process of security

management is beginning to evolve into a strategic business function”.5 What used to be

computer security became information systems security and information security. With the

diffusion of information security into the different departments, - operations, legal, human

resources and audit - information security had to become more understandable for technical

laypersons. To make it understandable to non-security-experts its language changed and became

much more business-adapted. Already the term information security shows the development

towards a more holistic approach in security, as the new focal point of corporate security. Other

synonyms used for information security today are: information assurance, business security6 or

enterprise/information security risk.

If lessons have been learnt, a good management of information security has become part of the

overall business objectives and has also led to organisational changes. Already in 1982 Rockard

wrote that “the ‘technically oriented’ information systems executive of the 1960 and 1970s is

rapidly being replaced by ‘managerially oriented’ executive of the 1980s”.7 A study published by

the Club Informatique des Grandes Entreprises Françaises8 (CIGREF) analyses the

relationships between information technology and economic intelligence and strategy.

According to this study, the person in charge of the Intelligence Économique et Stratégique (IES)

participates in defining information security policy, in 61% of the cases analysed. His role

increases with and is determined by the relative competitive advantage of the company and the

4 See Luftman, J., Competing in the information age, 2003, p.5; see Porter and Miller, How information gives you competitive advantage, 1985, p. 150. 5 Cavanagh, T., Corporate Security Management: Organization and Spending Since 9/11, 2003, p. 5. 6 The term business security is to ‘elevate’ information security to business security, so it “will get the extra focus and attention it needs, “as if “information security risks materialise, business as a whole will be affected”. See Von Solms, B., Von Soms, R., From information security to…business security?, 2005, p. 272. 7 Rockard, J., The Changing Role of the Information Systems Executive : A Critical Success Factors Perspective, 1982, p. 3. 8 See CIGREF, Intelligence économique et stratégique: Les systèmes d’information au cœur de la démarche, 2003, p. 17.

Introduction

3

number of attacks detected. 9 Further, according to a 2002 study by McKinsey, some Fortune

500 companies have added strategic, operational and organisational safeguards to the

responsibilities of security managers, complementing the technological measures currently

employed to protect corporate information.10

Management however tends to look rather at the direct consequences of information loss

whereas the ‘collateral damage’ is in many cases beyond the direct financial consequences of

security breaches:11

Media attention: Information security issues have continually been of special interest to

the press. Examples are virus attacks (“I love you” or “Witty”12) or credit card credential losses13.

Media coverage of these events is exhaustive and it has a significant influence on the

organisation’s environment later on. In the wake of fraud incidents, for example, 40% of

organisations indicate that they had suffered significant ‘collateral damage’, such as loss of

reputation, decreased staff motivation, and declining business relations. The impact of such

‘collateral damage’ is often perceived to be the strongest in cases where incidents were leaked to

customers or the media.14

External auditor comments: Because of the high impact information security breaches can

have on an organisation’s actual value, external audit firms pay increasingly attention to the

security of information systems. External auditors rely on the adequacy of information and its

integrity. Inconsistency of data and absence of sufficient information systems controls might

lead to negative auditor comments and might damage the organisation’s reputation.

Insurance premium rating: Insurance companies are increasingly offering major reductions

in premiums for policies related to computer security, if the insured meets certain minimum

security standards; these might be measured against business interruption or computer fraud.

Called ‘premium rating’ this practice reflects the lessened risk insurance companies face when

their customers opt for risk reduction rather than risk transfer.

9 The survey was carried out on behalf of the Cigref accumulating data from companies all over France with more than 200 employees: Cigref, Intelligence économique et stratégique: Les systèmes d’information au cœur de la démarche, 2003, p. 5. 10 See Lohmeyer, D.F., McCrory, J., Pogreb, S., Managing Information Security, 2002, pp. 12. 11 See PricewaterhouseCoopers, Global Economic Crime Survey 2005, 2005, p. 12. 12 See Schmundt, H., Verseuchter Seuchenschutz, 2005. 13 One of the biggest losses occurred in June 2005 when 40 million credit card numbers were hacked. Officials at Mastercard and Visa accused the operating company CardSystems Solutions Inc. of not meeting agreed-upon computer security standards. See Krim, J., Barbaro, M., 40 Million Credit Card Numbers Hacked: Data Breached at Processing Centre, Washington Post, 18 June 2005. 14 See PricewaterhouseCoopers, Global Economic Crime Survey 2005, 2005, p. 2.

Introduction

4

Personal liability leads very often to the assignment of responsibilities, even at corporate

level. Standards of due care have been developed and information security practitioners and their

managers may be held personally liable if they do not subscribe to the control practices found at

similar organisations.15 Managers also face prosecution by the law in case of wantonly negligent

acquaintance with informational assets or failure to assure the integrity of information in form

of internal controls.

Government laws and regulations: A lot of national and international de jure standards have

been produced in the past years, in compliance with government laws and regulations. These

help to foster security and present a major incentive for organisations to invest in information

security.16

Stakeholder interest: Internal as well as external stakeholders rely on and see the

responsibility of management to secure companies assets. This includes also the impact such

security events have on employees, clients or owners. Using the efficient markets hypothesis

developed by Fama et al.17 new publicly available information is received and immediately

absorbed by investors and incorporated into share prices. Studies prove that major impacts on

the shareholder value can be noticed and lead to major financial losses.18

Although the above arguments are beyond operational tasks and clearly show the organisation’s

interest in treating security breaches not as purely technical issues, management and the board

are believed to still underestimate the importance of information security. Two reasons can be

identified in theory.

Firstly, information security is a defensive instrument to secure organisation’s assets. The

entrepreneurial aspect is missing and successful management doesn’t show in monetary gains.

Managers are less likely to focus therefore on defending what they have than trying to open new

markets.19

Secondly, the effectiveness of techniques for information security, or in other words, the return

on investment on security measures is hard to quantify. Feedback to management stays

therefore rather on the non-predicative level that generally no major incident occurred.

Proactive management only becomes interesting when a security breach occurs, but also in

15 See Wood, C.C., Effective Information Security Management, 1991, p. 100. 16 Ibid, pp. 99. 17 See Fama, E.F., Fisher, L., Jensen, M. Roll, R. The adjustment of stock prices to new information, 1969, pp. 1. 18 See Garg, A., Curtis, J., Halper, H., Quantifying the financial impact of IT security breaches, 2003, p. 75. 19 See Birchall, D., Ezingeard, J., McFadzean, E., Howlin, N., Yoxall, D., Information assurance: Strategic alignment and competitive advantage, 2004, p. 6.

Introduction

5

these cases, no effective feedback can be received by management to indicate that the effort has

actually provided real security.20

In the following paragraph, the initial construct that shall be developed into a hypothesis in this

thesis will be presented. The driving question is, whether there is a genuine change in the

function of corporate security justifying the introduction of information security into business

strategy. For this reason various elements that constitute this function of corporate security

need to be analysed. After a thorough literature review an initial research construct has been

developed that describes the relationships that need to be taken into consideration from a

managerial perspective on information security.

Figure 1: Initial Construct of the Function of Corporate Security

In this initial construct, information security, before seen as part of the IT and Information

Systems (IS) department, is becoming a distinct discipline. It finds itself connected and in

relation to other factors and domains, as environmental and legal issues, functioning as a spiral,

incorporating inputs from the different departments and balancing them against possible trade-

offs.

The interrelationship between information security and business strategy shall be of particular

interest, which is assumed to draw on the above construct.

20 See Baskerville, R., Risk analysis: an interpretive feasibility tool in justifying information systems security, 1991, p. 123.

Business Strategy Content & Process

Competitive Advantage Trust

Environmental factors Time/Risk/Globalisation

Governance: Legal compliance

International standards

IT/IS & Behaviour

Corporate Security

Management Strategic Alignment

ISP, Outsourcing, Privacy

Information Assets

CIA & RITE Principles

Introduction

6

The logic of applying to research such an interrelationship is that information technology and

information systems became recognised components and drivers of business strategy.21 The

evolution in the past years emphasises a concentration of the security function on the one word

both terms have in common: information. Thus, as argued by Kaplan and Norton, the ability of

organisations to exploit intangible assets has become far more decisive than their ability to

invest in and manage physical assets, as companies around the world transform themselves for

competition that is based on information.22 Consequently if IT/IS systems, as the host of

business information, are strategic tools to support a company’s business strategy and

information as an intangible asset of strategic importance are critical for the competitiveness

and a company’s business success, the availability, integrity and confidentiality of the data that

the system protects should be as well. Furthermore, the loss of reputation due to information

security breaches is a risk factor for companies to lose customers and can result in significant

financial losses on the stock market.23 The Gartner Group research firm found that 28 % of

respondent banks said that online attacks are causing them to reduce their web-banking

activity.24 Information security becomes a question of organisations staying competitive in their

markets when using new means of technology such as the internet. But also previously ignored

external factors, including the stronger influence of shareholders and other business

stakeholders, now resulting in an increased attention towards corporate governance, need to be

taken into account and should be incorporated into strategy and risk management processes.

According to the latest Department of Trade and Industry (DTI) survey, a change of attitude

has taken place in organisations and the protection of customer data became the top priority

for organisations. However, the survey also shows that exclusively the protection of existing

assets is seen and researched as a reason for organisations to attribute and spend money on

information security.

21 See McFarlan, W., Information Technology changes the way you compete, 1984, p. 101; see Ward, J., Information Systems and Technology Application Portfolio Management- an Assessment of Matrix-Based Analyses, 1988, p. 206. 22 See Kaplan, R., Norton, D., Using the Balanced Scorecard as Strategic Management System, 1996, pp. 75. 23 See Garg, A., Curtis, J., Halper, H., Quantifying the financial impact of IT security breaches, 2003, pp. 80. 24 See Rombel, A., The World’s Best Internet Banks 2005, 2005, p. 31.

Introduction

7

Figure 2: What drives information security expenditure?25

For information security to become a part of business strategy it needs to go beyond mere

protection of crucial but already existing assets; the creation of trust might be such a decisive

factor. Trust as a natural basis between business partners (Business-To-Business (B2B) or

Business-To-Customer (B2C)) is also funded on the belief that shared information remains

confidential, available and integer. Customers and partners might make differences, especially

in critical industries, in their choice according to certain security criteria.

However, there are limitations to this initial research construct and these shouldn’t be

underestimated as information security, as a strategic task for good management and

governance, is a fairly unexplored topic.

In order to take appropriate measures to secure an organisation’s business intelligence, an

analysis of threats to the organisation’s information assets is necessary. Investments must be

allocated accordingly to the core issues of the organisation’s exigencies. As the importance of

business intelligence differs among sectors, there is only a number of especially sensitive sectors,

25 DTI/PricewaterhouseCoopers, Information Security Breaches Survey 2006, p. 12.

Introduction

8

where information security can and should be part of business strategy. The commercial space

in this sense is in its liability and commitment far from being uniform in its progress.26

Hence the function of information security in different sectors incorporates different strategies.

Maximum information security is not only impossible to achieve but can become even

counterproductive when unnecessary measures are taken that hinder efficient workflow. As the

author, not only because of these reasons, decided to conduct a qualitative research method,

organisations with a high probability that this interrelationship exists will be chosen and their

setting up of information security management is to be analysed.

In this thesis, current evolutions changing the function of corporate security within large

organisations will be reviewed according to what has been presented in Figure 1 as well as the

interrelationship between information security and business strategy. The thesis has therefore

been divided into two parts. Part I comprises the theoretical discussion of the topic, whereas

Part II deals with the conducted empirical research.

Part I starts with the evolution of management strategy connected to the technological

(r)evolution, which will be the topic of the first chapter of the present research work. Features

of this revolution will be analysed showing important technical but also social and

organisational developments. It gives an introduction to the change of the function of

corporate security in today’s organisations.

In the second chapter, principles of information security are assembled providing the base for a

sound information security strategy that should be integrated and aligned with business

objectives. Subsequently, formal as well as informal security measures will be presented.

The third chapter deals with legal requirements that are forced upon organisations but also

draw the attention of stakeholders towards information security. This attention led in the past

years to an increased voluntary dedication of organisations to carry out internal audits to prove

compliance with these laws and stakeholders expectations. Many international standards like

ISO/IEC 27001 or ISO 13333 developed by the International Organization of Standardization

(ISO) and the International Electrotechnical Commission (IEC), as well as other research

institutes are interested in combining good governance practice with these standards. So called

26 See Birchall, D., Ezingeard, J., McFadzean, E., Howlin, N., Yoxall, D., Information assurance: Strategic alignment and competitive advantage, 2004, p. vii.

Introduction

9

De Jure and De Facto standards give guidelines for auditing management of information and

related technology in companies.

In the fourth chapter, various methods about how to assess and analyse information security

risks in organisations are discussed. A particular focus is on operational risks that present a high

threat especially to financial service institutions.

In Chapter Five, components of business strategy are identified as well as possibilities on how

to analyse them. The concept of business strategy implies that a company only proactively

integrates into its strategy what helps it to gain distinct competences, a competitive advantage

and create an added-value to the business.

In the sixth chapter, various frameworks providing options for leveraging information security

to a management task will be presented and analysed. Social concepts as well as risk and

governance concepts can be employed to optimise information security management. Two

frameworks are of special importance for later research recognising the variable of strategy

process and content, and introducing the theory of strategic alignment.

A conclusion of Part I will summarise the most important findings of the theoretical part of the

present research and lead over to the empirical Part II.

In Chapter Seven an outline of the philosophical foundation, as well as the applied research

methodology, will be presented. It will be argued in favour of a positivistic ontological-

epistemological approach and a qualitative type of evidence. The methodology leading towards

shaping hypothesis and building theory will be explained as well as the case study research

method, describing the unit of analysis, data collection and data analysis.

The eighth chapter contains the within-analysis of each case study in which the findings will be

presented according to Figure 1. In the final paragraph of the chapter a cross-case analysis of the

cases will show commonalities and differences among cases.

After the conclusion of Part II, Chapter Nine contains the final discussion of the empirical

finding in conjunction with theory. This will lead to shaping the hypothesis and building the

theory which will be compared to the enfolding literature in a final step.

The final conclusion will discuss theoretical, methodological, and practical contributions of the

thesis, the implications of the research approach as well as areas of further research.

Note d’éditeur : [Les pages 10-222 de cette thèse sont absentes pour des raisons de confidentialité des données utilisées dans les études de cas]

Chapter 9: Discussion and Theory

223

Chapter 9: Discussion and Theory Chapter 9 synthesises Part 1 and Part II and embodies the results of the research. Its target is to

shape a hypothesis emerging on the empirical findings of Chapter 8. The thesis hypothesis is to

demonstrate that a changing function of corporate security took place leading to an

interrelationship between information security and business strategy. Once such an

interrelationship has been proved to exist the endeavour is to research its semantics and the

conditions that apply, which then form the thesis’ theory.

Chapter 9 is structured in three paragraphs. The first paragraph discusses the empirical findings

of Part II in conjunction with the enfolding literature of Part I. Commonalities, differences and

amendments of the initial construct are presented and provide a comprehensive understanding

of coherences of information security variables. This synthesis of theoretical and empirical data,

leads to the shaping of hypothesis in the second paragraph that further comprises the developed

theory of the dissertation. The final paragraph of Chapter 9 discusses the theory in conjunction

with the concepts of information security management analysed in Chapter 6.

a) Discussion of Findings in Conjunction with the Enfolding Literature

In the enfolding literature review in Part I some general tendencies have been outlined, that

have also been found in the empirical research conducted through the four case studies.571 An

enforced empirical validity of some of these tendencies can be concluded from the

commonalities found in the case studies; however some others could not be confirmed.

The subject of the preference of CIA principles hasn’t been treated in the initial case study

analysis as all three principles were given as answers and no clear pattern according to function

or industry could be established. However, a tendency in the explanation why a principle was

chosen could be found. Thus, most interviewees in the organisations that held personal data,

argued confidentiality to be the most important principle from a customer’s point of view.

571 When referring to “organisations” in the discussion of findings only the four main case studies are included. The additional cases will be mentioned explicitly.


224

Availability was judged to be most important for the immediate survival of the business, so that

services can be offered to the clients. Integrity was judged to be most important from a

regulatory point of view. A fourth principle was found to be added to the CIA at Bank B and

SoftCo D which is non-repudiation. However, in the context of the present study the function

of non-repudiation is closely related to the function of the integrity of data, as both threaten the

organisations’ reputation through non compliance with regulatory requirements.

Globalisation became both a boon and a bane for the organisations. All organisations were

winners in the global game, but increasing security threats led to a reorganisation of the security

function. A shift from the classical IT security function toward information risk management,

which included the classic IT function but also fraud, risk, and corporate alignment functions

such as strategic committees or departments of information assurance, took place. The

organisations aimed for a holistic approach, aligning the various variables of corporate security

to create synergies and bundle these in a coherent strategy.

Formal and informal measures in the information security strategy were found to be default

measures which means that they were acknowledged to be important to implement good

information security management, but not necessarily of high importance in the corporate

security alignment process. An ISP and privacy statement existed in every organisation; no

organisation outsourced any major security functions. Training and awareness programmes for

responsible staff were offered, or even made obligatory, in the organisations. These formal and

informal measures have slightly changed over the last years but weren’t at the core centre of the

organisations’ information security strategy. In the case studies it was found that organisations

invested rather in a business alignment of information security that focused on cost reduction

through greater efficiency, good governance of regulatory requirements and reputation, and a

new assessment of information security risks.

The risk assessment was confirmed to be more business-driven than this was the case a few

years ago. Thus, although Courtney’s equation is still used as a basic rule in the IT security

department, it doesn’t represent the full assessment of risks as it is carried out today. Additional

risks have been added to Courtney’s equation to complete a holistic risk analysis.

Particularly financial organisations were found to be concerned with operational risk.

Again, a reorganisation was discovered that took place in Bank B from a discontinued risk

assessment through internal audits, to a permanent assessment of operational risks. The new

permanent assessment of operational risk became a task for middle management in the


225

organisation. The responsibility for operational risks is hence shifted to those immediately

concerned by the threats. The management of operational risk was found in practice to be an

argument for the corporate security department to improve measures as it immediately impacts

the bank’s performance.

Finally, reputation risk became one of the most important variables in the organisations’

risk analysis. In the researched organisations it was identified as an effective tool to convince

the executive management of the importance of information security for the organisation. This

finding supports Baskerville’s572 hypothesis that risk analysis can be particularly useful as a

communication technique that provides a link between the security and management

professional.

The problem of the quantification of losses and threats was one which remained

throughout the cases, conceding Baskerville573 in his point that the risk assessment remains a

meta-control tool that rests in the subjective experience of the designer and is not an objective

prediction of any statistics. None of the organisations had for example only attempted to

quantify its reputation risk. In the researched organisations, approaches presented by Garg et

al.574 to count capital losses on the stock exchange price were judged as incorrect as the stock

market would recover after a few days and too many other influences could bias the results.

Thus, the quantification of information security threats and vulnerabilities continues to be

unsolved, but remains at the same time the holy grail of information security risk analysis.

The second stream of thought in the alignment of information security throughout all cases

was information security governance. Especially those organisations with access to personal

information suffered from high regulatory pressure. This pressure doesn’t only consist of data

protection issues such as EU legislation, but also the need to provide information for law

enforcement measures. Organisations then find themselves in a conflict of interest between

business and the law. This conflict makes information security also a political issue inside the

organisation that must be assessed by the management and cannot be managed solely with

technical expertise. However, the issue of highest importance for information security

governance was SoX. Its importance has already been mentioned in literature and it was

confirmed in the case studies. Apart from the heavy burden of proof that is very costly to the

organisations, it had a great impact on the perception of information security at senior

572 See Baskerville, R., Risk analysis: an interpretive feasibility tool in justifying information systems security, 1991, pp. 128. 573 See ibid, pp. 128. 574 See Garg, A., Curtis, J., Halper, H., Quantifying the financial impact of IT security breaches, 2003, p. 74.


226

management level. Good corporate governance became connected to the integrity of data.

Reporting lines were cut shorter to provide more direct information to top management and

information security grew in importance at all organisations’ audit departments. It is mostly de

jure standards that are used to assure compliance, de facto standards are often used to confirm

results of good information security management. The certification of these results represents

an extra cost and is perceived as unnecessary for the internal security function. The application

of a standard framework leading to regulatory compliance is the target for the organisations.

The third point leading to the alignment of corporate security with business is cost

reduction through gain of efficiency. With the extension of the information security risk

analysis, as well as increasing costs for ensuring information security governance, information

security gained notably in size and cost. As all case studies were carried out with large,

multinational organisations, different legislations and security environments made information

security an even more complex task for the organisations. Aligning also meant here

streamlining and creating synergies to gain operational benefits.

The reorganisation and alignment of the security function are internal tasks. Their

evolution has been subject of a number of articles and books. The internal function of corporate

security (IFCS) has been researched in the present research as it is the basis and is therefore

correlated to what will be called in the following the external function of corporate security (EFCS).

The EFCS comprises the area that is built around the IFCS and where corporate security

overlaps with the organisation’s stakeholders’ interests. In case breaches and failures occur,

customers, shareholders or other financial investors claim these interests and will punish bad

information security management. Thus, information security can become an asset to the

organisation.

As suggested by Eisenhardt575 an a priori construct with a formulated research question was

presented in the introduction of the present research and developed in detail in Part I. In this

construct a number of possible stakeholder interests in an organisation’s EFCS were

formulated. These are reputation, trust and certification.

At an earlier stage of this section, it was referred to reputation risk and the problems of its

quantification. Although no measures for quantification exist so far, without exception all

interviewees agreed to the importance of reputation risk for their business. The opportunity

embedded in this risk was hence recognised as well. One of the major findings of the cross-case

575 See Eisenhardt, K., Building Theories from Case Study Research, 1989, p. 533.


227

analysis was that organisations managed their reputation of being a secure company, through

targeted marketing campaigns, participation in survey journals, or the publication of corporate

responsibility reports. It was found that a good reputation shall attract the right investors for

the organisation, hence increase the provision of money. Also Product α and β were targeted to

improve the reputation of the organisation and create trust in the services delivered by Bank A

and TelCo C. If reputation and trust are important attributes to sell products and services to

customers, this importance increases with amount of personal information organisations hold

and with customers’ awareness. Generally this correlation was known to the organisations.

Visible differences were made between customer segments. Retail customers were judged to

have less knowledge about security issues and hence were believed to be less aware of security

threats. In contrast, business customers were perceived to be much more aware of security

threats, checking up on the security of products and services.

The third expected advantage gained through information security and one which

organisations could use to differentiate themselves from their competition, was certification.

Although certification can work as substitution for regulatory requirements and legal standards,

it wasn’t found to immediately add value to the organisations. The substitution works if

certification can provide proof points to management, customers and investors that proper

security measures have been put into place. This becomes unnecessary if the regulatory burden

is accordingly high, which is the case for organisations with a high amount of access to personal

and sensitive data. Certification in that sense can only assure the customer of standards, but

only becomes a competitive advantage where security products and services are traded in a

sensitive environment with little regulatory obligations.

For further research, it is important to define the boundary of responsibility. So far in

literature very little has been published on the importance of information security for

customers. When researchers published on the topic, they provided an assessment of

reputation, trust and certification, in demonstration of the importance of information security

to the business. What hasn’t been defined is the boundary of responsibility that answers the

question when organisations need to provide information security measures and when the

customer sees it as his/her responsibility or his/her duty of care. As analysed in Chapter 3

jurisdiction hasn’t found an answer to the question of duty of care yet.576 In the concept of

IFCS and EFCS, it is now that boundary in the EFCS artefact that needs to be defined.

576 See Lindup, K., Lindup, H., The Legal Duty of Care- A Justification for Information Security, 2003, pp. 21


228

Throughout the empirical research it became evident that there is a visible lack of

communication between the internal information risk function and the organisations’

marketing that could investigate this boundary. In fact, the external implications of information

security were found to be a virtually unresearched topic. The IT approach used before, merely

focused on security measures, has been exchanged for a more business-driven or risk-related

approach. However, the information security requirements are still analysed internally and do

not necessarily reflect what the market or, more specifically, the customers expect. Although in

all cases comprehensive marketing facilities were available to the organisations, these were

either not used or if results existed these were not communicated from marketing to the

internal information security experts. The organisation’s research and development teams are

still very much technically-oriented, with security experts developing features that they see as

necessary from their internal point of view. Bank A, which internally off-shored this function,

used focus groups to test the features of the final products, thus after their development, but

the initiatives so far have exclusively been developed inside the organisation without any input

coming from the organisation’s marketing department.

In the decision-making process of the organisations it was found that those in charge of the

IFCS, orientate themselves either directly according to technical market developments or

according to where they believe the market is going. Security defence even today is based on an

informal exchange of information between IT security experts. Industry committees have been

established to decide on industry-wide standards that again are based on technical requirements

but don’t reflect customer expectations and wishes.

The customer survey carried out by the marketing division of TelCo C however provides

concrete figures on this subject and shows that customers see it to a large extent as their

responsibility to actually protect their own devices and not as the duty of care of the

organisation. Hence, the protection of information assets is connected to the physical and

technical device on which the data is stored. For the IFCS of an organisation this means that

the responsibility to safeguard information assets that are stored internally remains solely with

the organisation. However, in the EFCS domain organisations can compete on reputation, trust

and to a certain degree on certification. On the outskirts of the boundary of the organisations’

responsibility and the perceived duty of care of the organisations’ customers, information

security products and services can be profitably sold to the customer. In the business customer

segment this boundary can even more clearly be drawn as it is in the customer’s own interest to

safeguard information. Information security then becomes an added value to the organisation,


229

albeit if it integrates information security features into its existing products and services or

offers it in a package or completely separate.

In the case of SoftCo D introducing security products to the market that shall most

importantly complement the existing product range, the focus was automating business,

especially on the client or employee level. Interviewees across all case studies repeatedly said that

it is less the challenge to avoid hackers penetrating their security technology but the

management of its customers and employees to avoid security breaches caused by them. Hence,

the products developed had to be built for non-security experts with the main target of the

security application being an easy-to-use approach to resolve any security problems. The

technical solutions and products researched in the case studies had in common that they were

built on application level and were therefore obvious and apparent to the user. The EFCS

therefore also has a different priority of the nature of products that is less technical and less

oriented to provide the highest level of security, but that is adjusted to the knowledge of

customers. To summarise the EFCS in the future will depend largely on customers’ awareness

and knowledge of information security measures and threats and hence develop with time.

A determinant factor to what extent an EFCS at an organisation exists is the nature of the

interface between organisation and customer. This interface changed fundamentally with the

arrival of the internet. The internet became the technical medium that replaces direct and

personal customer communication to a large extent. The experience with this medium and its

trustworthiness are essential for the organisations’ e-business. Bank B was an exception in this

respect and was therefore missing some fundamental external security functions that existed in

the other organisations, such as larger information security communication initiatives, or other

security products. Through the internet the customer has to relate to technical measures and

faces newly emerging threats that create a demand for more and better security.

In the additional cases researched, other determinant factors were found that can influence

organisations’ EFCS negatively or can influence in how far organisations can use the EFCS as

part of business strategy. Overregulation of the security market through the state is one of the

reasons found. If data security is so vital for the customers of products and services, and hence

leads to great regulatory attention to enhance consumerism, organisations don’t have any space

to compete on reputation and trust in that field. Although less distinct, a similar situation exists

when organisations obtain a dominant position on the market and become a market leader.

Because of their size and positions, these organisations have a head start in comparison to their


230

competitors to convince customers of their trustworthiness when it comes to data protection

issues. An entirely different situation presents itself when it is exclusively the intellectual

property that needs to be protected by the organisation. Information security is then purely of

importance for the organisation’s own survival, but not to its customers. The EFCS is in this

case non-existent and only the IFCS becomes of greatest importance for the organisation’s

survival.

In a final step it is important to see of what nature the interrelationship of information

security and business strategy is. Overall in all four cases an interrelationship could be

confirmed. The reasons for information security to become part of business strategy were

however notably different and will be analysed subsequently in conjunction with literature and

the internal and external function of corporate security.

Because of its unquantifiable value, it is difficult to show that good information security

management is part of an organisation’s reputation and hence of its business strategy. Thus, in

the empirical research it was found difficult to prove an investment that could demonstrate

organisations’ commitment to achieve a distinct competence in building up a reputation of a

safe company. At the same time a strong argument was made in literature by Carmeli and

Tishler577 who showed the impact reputation has on organisations’ financial performance.

According to the results recorded in interviews, reputation is an important issue and although

unquantifiable, has been used by all organisations for communication and marketing to the

organisations’ stakeholders. Information leaflets and newspaper articles have been published

and presentations were held at conferences. Product α, next to being a result of peer group

pressure, was used for marketing and communication purposes. In fact it replaced an up to a

hundred percent secure system for a product that was a novelty on the market, which hence

couldn’t guarantee to deliver an equally high standard. In its decision making process Bank A

was considering criteria belonging to the EFCS, and took customers perception as well as

market development and peer organisations into account. Criteria belonging to the IFCS such

as increased technical security of data only came second in the decision-making process.

Industry sectors in which organisations hold personal customer information were found

577 See Carmeli, A., Tishler, A., Perceived Organizational Reputation and Organizational Performance: An Empirical Investigation of Industrial Enterprises, 2005, p. 13.


231

however much more reliant on reputation and more in the centre of attention of the regulator

and the media.

Reputation interconnects here with legal requirements and standards. Deficient

information security management leading to deficient corporate governance was found to be a

threat to the organisations’ reputation. Good information security management through good

corporate governance exemplified by regulatory compliance, standards and certification was

shown to protect the organisations reputation, but couldn’t be shown to add extra value to the

organisation and hence wasn’t found to be part of business strategy. The reason is that

standards, just as regulations, only set benchmarks but don’t show any distinct competences.

Although certification might be helpful for achieving good information security management, it

cannot create certainty because of a fast-moving and risky environment. The trust in

certification is not so distinctive yet to justify the high costs and hence cannot be treated on its

own as an added value for the organisation.

An exception to this research finding is the direct linkage between business strategy and

operational risks that exists through the Basle II framework correlating operational losses to the

financial organisation’s equity capital. Hence the reduction of operational risks doesn’t only

result in an immediate reduction of costs but enables the financial organisation to raise equity

capital and hence improve its financial performance. The Basle II framework presents in such a

way an exception among all information security related legal requirements, as it links directly

good corporate governance to better business opportunities. The organisation’s stakeholders

profit from good information security management. The organisation-strategy-performance link

developed by Summer et al.578 applies, provided the assumption that more equity capital leads

to better performance. Furthermore, only financial institutions fall into this category. Although

many environmental factors can influence operational risks, they are part of the IFCS as they

can be treated independently of these. A good management of operational risks depends on

good internal management and good strategic alignment of the internal departments using

good formal and informal measures.

To achieve Consonance, a criteria defined in Chapter 4, business strategy must represent an

adaptive response to the external environment and to the critical changes occurring within it.

As argued earlier on, new information security threats have created new revenue potential for

organisations. The boundary of the EFCS illustrates where customers see the organisation in

578 See Summer, C., Bettis, R., Duhaime, I., Grant, J., Hambrick, D., Snow, C., Zeithaml, C., Doctoral Education in the Field of Business Policy and Strategy, 1990, p. 367.


232

the duty of care or are willing to pay for better information security themselves, hence see the

responsibility on their side. If organisations invest to research this boundary and find

opportunities to provide information security services on customer demand, information

security adds direct value to the organisation and becomes part of business strategy.

In the present research two cases, TelCo C and SoftCo D, researched this boundary and

demonstrate such an interrelationship between information security and business strategy.

Differences lie in their customer basis as well as the alignment between IFCS and EFCS.

The difference in the customer base influences the nature of the product or service offered

by the organisations. While retail customers are interested in safeguarding only their personal

information, businesses face much more complex security problems and look for an alignment

of security applications as well as timesaving streamlining of security products and services.

Furthermore, business customers showed a higher awareness of information security threats

and hence solutions. Security is either inherited in the security product or service offered or

must be purchased on top. Through regulatory requirements the pressure over the last years

further grew in this business segment. Retail customers are less aware of the real threat scenario

but are sensitive to the perceived threat environment that they engendered through personal

acquaintances or the media, which showed in the TelCo C survey. Both customer segments

have in common that they look for applications that are easy-to-use and expect the organisations

to extend their knowledge of IFCS and EFCS into the offered information security products

and services.

Differences between the two cases lie further in the degree that IFCS and EFCS are aligned.

At TelCo C although minor communication between the group’s IFCS and the EFCS took

place to assure the technical integration of the solution into the corporate information security

infrastructure, no results of the customer survey were communicated between the two

functions; thus, the Head for FRS at TelCo C wasn’t aware of the investigated customer

expectations on information security products and services at TelCo C. Furthermore, for the

development and subsequent maintenance of Product β, TelCo C relied on external expertise

and didn’t use its internal research and development department.

In contrast SoftCo D’s information security products and services mirrored internal

processes and solutions. Emphasis was put on the integrity of the organisation’s reputation and

the provision of proof points such as information security standards. SoftCo D further

incorporated all of its products and services offered. The organisation’s CSO was further

marketing SoftCo D’s security products and services, as she deployed them and was hence


233

acquainted with them. The organisation’s IFCS and EFCS were hence strongly interacting,

leading to good corporate alignment.

Of all cases SoftCo D integrated information security most clearly into its business strategy,

however the three other cases also contribute in the final paragraph of the discussion where this

interrelationship will be discussed in conjunction with the different concepts of business

strategy that have been found in literature.

Firstly, this analysis focuses on the internal and external shaping of business strategy

discussed in Chapter 4. For SoftCo D one of the threats on the market was that a number of

smaller security organisations were about to move into the market providing more flexible

solutions than SoftCo D could. The threat of new entrants, one criteria argued by Porter579 to

shape business strategy externally, was therefore a powerful reason for SoftCo D to incorporate

information security into its business strategy at this point. At Bank A and TelCo C it was the

anticipation of market development that led these organisations to invest and potentially profit

from their information security products in the future. In all three organisations the

“bargaining power of customers”580 described by Porter, put pressure on, or in a more positive

light, created opportunities for better security services and products. This bargaining power is

determined by the level of knowledge customers have and hence their awareness and the

situation of the boundary of responsibility between organisation and customer. Hence these

three external forces, market development, threat of new entrants and bargaining power of

customers act upon the EFCS of an organisation.

The second stream of thought in strategy literature focuses on the internal capabilities of a

company and the appropriation and internalisation of assets. At SoftCo D an internalisation of

assets took place through the acquisition of a number of smaller organisations specialised in

information security. These were chosen according to their level of expertise and utility for

SoftCo D. This expertise was then adapted to SoftCo D’s own product and services, creating a

new knowledge base that is unique to the appropriating organisation. In Bank A, particular

focus was put on the internal development of Product α. Bank A claims Product α to be an in-

house development that was initialised by Bank A and developed by BankA.com. Thus, Product

α is so far unique on the market putting Bank A in a technologically advanced position. Bank B

aligned its security function and introduced a permanent operational risk assessment function.

579 See Porter, M. E., How competitive forces shape strategy, 1979, p. 137. 580 Ibid, p. 140.


234

The Basel II requirements linking operational losses to disposable equity capital scheduled to

kick in during 2007, will show how competitive Bank B solution is. Despite the very valuable

information collected for the development of Product β, TelCo C didn’t communicate and

internalise this information, which hence remains limited to the project. TelCo C’s lack of

alignment between its IFCS and EFCS led to an isolation of the knowledge and not the

appropriation wanted by Loveridge.581 Customer knowledge is however used to create value for

TelCo C in the sense of Probst et al.’s concept of Customer Knowledge Management.582

Elements of the content and process of business strategy are more difficult to juxtapose

between cases as information security products and projects were in different phases of their

development. While SoftCo D had already started selling its security products, TelCo C was

still in the phase of discussing a marketing strategy. Bank B will need to adapt to the Basel II

requirements on operational risk in 2007 and Bank A had launched Product α to its business

customers and didn’t have any marketing data available yet.

Strategy contents which are “fundamental positions or results on which the organisation

has made commitments to achieve”583 were various amongst cases. SoftCo D called its

fundamental position to increase its revenue and return through information security solutions

back to bigger market shares on the software market. Bank B has to systematically assess its risks

under the Basel II framework and decrease them, in order to improve its performance long-

term through higher equity capital. Managers at Bank A were primarily concerned about the

bank’s reputation and staying in the market. TelCo C invests into information security for

revenue and to gain a competitive advantage through a faster and possibly better response to

newly emerging information security threats.

The strategy process is concerned with the organisational structure, planning, control,

incentives, human resource management, and value systems of a firm but also how effective

strategies are shaped within the firm and then validated and implemented efficiently.584

Organisational restructuring became necessary in Bank B. The management profits from lower

operational losses through higher share of equity capital, hence responsibilities were introduced

where business incentives emerged. Product β at TelCo C was the result of a marketing

initiative based on customer surveys, while Product α at Bank B was the effect of a long internal

discussion among responsible managers at Bank A on the organisation’s future security strategy. 581 See Loveridge, R., Institutional Approaches to Business Strategy, 2003, p. 99. 582 582 See Probst, G., Gibbert, M., Leibold, M., Five Styles of Customer Knowledge Management , and How Smart Companies Use Them To Create Value, 2002, pp. 459. 583 See Fahey, L., Christensen, H. K., Evaluating the research of strategy content, 1986, p. 168. 584 See Chakravarthy, B., Doz, Y., Strategy process research: Focusing on corporate self-renewal, 1992, p. 5.


235

In both organisations critics feared media attention that could lead to an overestimation of risks

in the industry and more attention to information security threats in the industry. Both

organisations hence chose a moderate marketing campaign. SoftCo D could successfully

integrate the acquired organisations into its strategy process. The knowledge and expertise won

through the acquisitions was integrated into the organisation’s own solutions enriching SoftCo

D’s own solutions. The organisation’s executive board communicated the new holistic security

concept to the regional entities for market introduction. The technical background of most

employees in the organisation facilitated the internal communication. Difficulties were only

encountered in creating trust for SoftCo D’s security solutions and hence selling it to

customers. It is the overlap between customers and the EFCS that poses problems to

organisations communicating their newly acquired competencies and hence creates new

liabilities.

In case of Bank A, Bank B and TelCo C the incorporation of information security into the

organisation’s business strategy can be described as an emergent strategy that hasn’t been set-up

beforehand, but that developed over necessity in recent years.585 At SoftCo D on the other

hand, a clear revenue opportunity has been identified that profits from developments on the

governmental agenda as well as newly emerging risks. However, in all cases information security

has become a commodity that can add to the business development.

b) Developed Hypothesis and Theory

The initial construct developed in the present research work includes variables that

constitute the function of corporate security with the organisation’s informational assets at their

heart (see Figure 1): environmental factors, governance, IT/Behaviour, and information

security management. The empirical case study could show that these variables led to an

internal shift of the information security paradigm in all four cases. The organisational

alignment was the main focus of this shift making internal information security management

easier, facilitating compliance with an increasing amount of regulatory requirements and coping

with an increasing number of threats. These internal and external security threats against the

internal information assets in the organisation are met through technical measures but also

behavioural measures, formal and informal.

585 See Kay, John, Foundations of corporate success: How business strategies add value, 1993, p. 337.


236

Nevertheless, during the analysis of the interrelationship between information security and

business strategy, a new construct emerged that suggested the differentiation between an

internal function and an external function of corporate security. These two functions can be

defined in terms of patterns, of actions, of behaviours and of responsible agents.

The internal function is charged with the security of the data that is legally in the possession

of the organisation and is hence protected by its internal security. This data includes the

organisation’s intellectual property but also customer data that the organisation possesses due

to business or legal requirements.

Elements of the IFCS are the risk assessment of newly emerging security threats e.g. internal

fraud or hackers trying to enter the organisations network as well as formal and informal

security measures. Furthermore, governance is a part of the IFCS; standards and certification

are guidelines and proof points to the management and the organisation’s stakeholders that

information inside the organisation is managed with due diligence. Regulatory requirements

fulfil a similar function for the state.

The alignment of these IFCS elements can lead to a more efficient information security

management and hence to cost reductions for the organisation. However, throughout the

investigation for this research only one example could be found where an interrelationship

between information security and business strategy existed, that lied actually within the IFCS

and only applied to organisations in the banking sector. This interrelationship exists in form of

the Basel II framework that links operational losses to the amount of equity capital available to

the organisation and hence the possibility for the organisation to improve its performance.

Other possibilities for information security to become part of business strategy, however,

showed that a new external function was necessary for information security to create an added

value for the organisation.

The external security function creates the fringe area between internal security and the

environment of the organisation. It is characterised by newly emerging technical artefacts that

enable the customer to establish direct contact with the organisation. This interface shapes the

experience of the customer with the organisation. Moreover the technology enables a - virtual -

direct contact link between the customer and the organisation. For the customer to be able to

use this contact he needs a personal device that enables this virtual link. This personal device

can be a personal computer or other mobile telecommunications device such as a mobile

phone.


237

The determining question for the research, whether information security can become part

of business strategy and hence a source of revenue for the organisation, depends on how the

customer evaluates his/her duty of care. If this perceived duty of care (εc) is greater than zero a

revenue opportunity for the organisation theoretically exists; if it is zero, thus no duty of care

lies in the opinion of the customer within his/her own responsibility, no revenue can be

generated for the organisation.

εc > 0 Revenue Potential (3)

εc = 0 No Revenue Potential

Determining factors that might influence this boundary can be regulatory requirements,

ethics and culture. If the state takes a particular interest in the security of the medium or

interface, regulatory requirements can oblige the organisations or the customer to guarantee a

security service. Additionally, ethical values and cultures influence the perception of

responsibility in such a way that customers feel they can rely on business partners or prefer to

insure themselves.

Additionally to the direct sales of security products and services, two other elements leading

to increased competitive advantage and added value were identified: reputation and trust.

These elements do not generate any direct revenue for the organisation but increase the usage

of the technology through the interface as customers are more likely to use it and hence this

increased usage contributes indirectly to business development, its revenue, and

competitiveness.

Other elements in the realm of information security and influencing Organisation X’s

business strategy are the threat of new entrants, peer group pressure and the internalisation of

assets. The threat of new entrants influences information security strategy if an organisation

already has information security services and products in place and sees several new competitors

entering the same domains, threatening to destroy Organisation X’s distinctive competence.

Peer group pressure leads to innovation in information security to remain competitive on the

market. Such innovation requires the anticipation of where the market might go and hence

requires analytical judgement of customer needs and internal technical capabilities. Analytical

judgement and technical capabilities are assets that, if they are internalised into the function of

corporate security, further determine Organisation X’s business strategy.


238

Figure 33: Internal and External Function of Corporate Security

Furthermore, the IFCS/EFCS theory suggests an alignment of the internal and external

function of corporate security creating a pattern of communication between customers and the

before defined internal corporate security function. Good strategic alignment between IFCS

and EFCS can generate a better information risk management as the company has better

insight into customer security concerns and can hence adapt its vulnerability assessment

accordingly. The more customers consider a security breach to be important, the more the

organisation should try to avoid such a scenario in order to avoid higher reputation damage. At

the same time an alignment between IFCS and EFCS can provide proof points to the

customers of Organisation X that good internal management reflects also in good information

security products and services.

In a second step, two customer segments are introduced into the framework - business and

retail customers - that have commonalities but also notable differences in their behaviours and

actions; the main issues are security concerns, technical capabilities, expertise and interests.

Both segments expect personal or confidential information to be safe to a highest degree in the

IFCS. However, in case a security breach in the organisation’s IFCS occurs and data is lost,

EFCS Information Security Products & Services

Reputation and Trust

Interface /Medium

Organisation X

IFCS

Information Risk Management

Operational Risk Security Standards/ Certification

IT & Behaviour

Regulatory Requirements

Intellectual Property Customer Data

εc > 0 εc = 0

Internalisation of assets

Peer group pressure

Threat of new entrants


239

altered or was assessed by an unauthorised person, customers have very little influence and can

only ask for compensation and/or change the service provider. Differences exist in the EFCS of

the organisation. The influence customers have on Organisation X’s business strategy relates to

their bargaining power adverse the organisation.

In comparison with retail customers, business clients feature much higher technical

capabilities, security expertise and have greater security concerns regarding the loss, disclosure

or alteration of information. Thus, the threat of competitive intelligence leads to a higher

awareness of information security risks. Furthermore, business customers share similar concerns

with the service provider as they possess their own IFCS that is subject to regulatory

requirements. Last but not least, business customers possess through their IFCS much higher

technical capabilities and business expertise that puts them into a much better bargaining

position than retail customers.

In contrast, retail customers only very rarely possess similar expertise and technical

capabilities and are therefore more reliant on their perception, media coverage or politics to

provide sufficient assurance of good information security management. The retail market is

much more heterogenic and must therefore be assessed individually by the organisation.

Tendencies must be watched carefully as newly emerging security threats might cause reputation

damage to the organisation as well as offer revenue opportunities for the organisation.

In consequence of these differences between business and retail customers, the expectations

of solutions provided in the EFCS by the organisation are different and are hence also treated

differently by the organisation. Because of their advantage in technology and expertise business

clients receive far more advanced solutions that they are potentially also willing to pay a

premium for. Products and services must also fit into the existing IT architecture of the

business client. In the retail customer segment differences can be noticed according to age and

background of the customer. Generally customers expect a holistic information security risk

protection and are focused on easy-to-use solution and products to safeguard their personal

devices and information.

Other responsible agents are potential investors that provide financial assets to

Organisation X but expect good information security governance in return. These financial

assets contribute to Organisation X’s performance and to its competitiveness. Trust and

reputation are essential patterns here that encourage good investment, reciprocally bad

information security governance discourages such good investment.


240

Figure 34: The Role of Business and Retail Customers in the IFCS/EFCS Framework

In a third step, the theory is further extended with the three CIA principles attributing

these to a number of patterns in the IFCS/EFCS theory. Originally meant to explain the

reasons why organisations engage in information security, they rather fulfil various functions in

the organisation’s IFCS and EFCS. In the here developed theory it shows that availability is in

the centre of the IFCS, thus the operational ability to continue the business after a major

security fraud that causes a severe disruption or denial of service. The integrity of data is crucial

in conjunction with regulatory requirements and showed to be just as important to the business

clients and to investors as to Organisation X. Business clients in many cases have to meet

similar legal requirements for their IFCS as Organisation X and investors are interested in the

demonstration of good corporate governance at Organisation X. The confidentiality of data is

crucial to business and retail customers and is the principle which raises most concerns in the

EFCS. Business customers fear competitive intelligence that intrudes their system. Retail

customers fear the disclosure of personal and sensitive data that is stored inside the company, as

well as it being intercepted during the use of products and services that Organisation X


Business Clients

Organisation X

IFCS



IT & Behaviour

εc > 0

Competitive Intelligence

εc = 0

Investors


Corporate Responsibility

Retail Customers

Access to IFCS

Personal Data

Bargaining Power of Customers


241

provides. All principles however interrelate and must be applied in conjunction with each other

in the IFCS/EFCS framework.

Figure 35: CIA Principles in the IFCS/EFCS Framework

Finally, it is important to discuss the conditions for the IFCS/EFCS theory to apply. A first

prerequisite is the existence of a technical medium or interface such as the internet or other

PCDs that the organisation uses to communicate with its customers, or that customers

themselves are reliant on information security in their IFCS so that they have overlapping

interests with Organisation X. A second prerequisite is the existence of free market in the area,

which means that a predominant role of the state that leads to an overregulation of the market,

leaves no space for Organisation X to compete with its peer organisations and prefixes the

organisation and customer’s responsibility for security and duty of care (εc). A similar effect

results if Organisation X achieves a predominant or leading position on the market leading to

such a significant size that customers trust the reputation of the organisation per se. A last

prerequisite is that the IFCS is of such importance to the organisation that information security

affects the organisation’s survival and leads to a predetermination of εc.

A


Business Clients

Organisation X

IFCS



IT & Behaviour

εc > 0

Competitive Intelligence

Retail Customers

Personal Data

εc = 0

C

Investors I


Access to IFCS


242

In summary, the theory introduces the concept of an internal function and an external

function of corporate security that is based on the conceptual framework of responsibility

modelling creating and artefact of patterns, actions, behaviours and responsible agents. The

internal function comprises what is understood to relate to the classical information risk

management. The external function circumscribes the technical interface of the internal

function with the customer and investor. According to legal requirements, ethical values and

culture customers are willing to pay for security services that they accept as their personal

responsibility. Investors are attracted through good information security governance. The

bargaining power of customers, the threat of new entrants, peer group pressure and the

internalisation of assets were found to further determine the business strategy of Organisation

X. Different standards and expectations apply to business and retail customers that have

different levels of expertise and technical capabilities as well as different security concerns. The

theory further provides an attribution of the three information security principles -

confidentiality, integrity and availability - according to their function inside Organisation X.

The theory argues for a fundamental shift in the information security paradigm.

Information security so far has been found in research to be an exclusively defensive measure

that protects the already existing assets of the organisation. In this artefact advantages could

only be generated through cost reductions by streamlining processes and aligning duties. The

theory generated in the present research work shows that information security can add value to

the organisation through increased performance, competitive advantage, increased trust and

reputation, and higher revenue. Information security can be used as an offensive tool on the

market.

c) Embedding of Theory in Other Information Security Management Concepts

In Chapter 6 several theoretical concepts of information security have been discussed. The

diagram of information security approaches developed by Siponen suggests that information

security research will increasingly focus on governance and management issues. On a

conceptual basis the author applied the Responsibility Modelling framework developed by

Backhouse and Dhillon that focuses on distributing responsibilities between agents, “eliciting

and assigning structures of responsibility”.586 The IFCS/EFCS framework belongs into this

586 Backhouse, J., Dhillon, G., Structures of responsibilities and security of information systems, 1996, pp. 4.


243

category of research as it advances the existing theories and frameworks by providing insight

into responsibilities shared between the organisation and its customers. It further specifies

Liebenau et al.’s587 boundaries of responsibilities and the impact of these boundaries on

information security management and particularly business strategy. Behavioural patterns,

perceptions as well as communication between agents are crucial to improve the existing

information security management.

However, Backhouse and Dhillon take in their research an ontological-epistemological

approach that is based on understanding the social norms and individual affordances. Their

framework is built on the assumption that “reality is the outcome of human interactions which

generates shared norms and experiences”.588 They take an interpretivistic point of view and

hence use a different philosophical stance, than the positivistic philosophy used in the present

thesis. They further apply their framework to the inner-organisational behavioural patterns of a

non-commercial entity, the British National Health Service Hospital Trust. In contrast the

IFCS/EFCS theory uses a different approach by showing managerial impacts of responsibilities

and behavioural patterns such as trust and reputation on the performance and competitiveness

of organisations thus the impact of social norms and behaviour on organisational commercial

structures.

It is important to note that organisation and customers share information security concerns

through a technical interface or medium. Thus, the IFCS/EFCS theory also figures under the

socio-technical approach described by Siponen.589

In Chapter 6 concepts stretching from information risk management, over hybrid

information security methods to information security governance frameworks were described

and discussed. None of these concepts takes the organisation’s customers into consideration to

shape information security management. Thus, Willison’s and Backhouse’s Crime Specific

Opportunity Structure590 focuses on attackers’ profile and processes how to avoid information

security breaches. Governance frameworks such as the GAISP591 or the Corporate Governance

Task Force ISG Programme592 aim to systematically structure the information security

management in order to render the organisation more transparent. Baskerville’s Security Risk

587 See Liebenau, J., Kärrberg, P., International Perspectives on Information Security Practices, 2006, p. 4. 588 Backhouse, J., Dhillon, G., Structures of responsibilities and security of information systems, 1996, pp. 5. 589 See Siponen, M., Analysis of Modern IS Security Development Approaches: Towards the next generation of social and adaptable ISS methods, 2005, p. 370. 590 See Willison, R., Backhouse, J., Re-conceptualising IS security: Insights from a criminological perspective, 2005. 591 See Information Systems Security Association, GAISP Version 3.0, 2004. 592 See Corporate Governance Task Force, Information Security Governance: A Call to Action, 2003.


244

Planning Model593 helps in the process of assessing and managing security risks. Von Solms

developed a series of frameworks that deal with the technical importance of information

security in Porter’s value chain, the benchmarking of security levels and the role of standards

and regulatory requirements in organisations594, but do not contribute in understanding the

external shaping of the information security strategy.

An exception is the knowledge management based system developed by Belsis, Kokolakis

and Kiountouzis, which is an interesting aspect to the IFCS/EFCS theory. Belsis et al. consider

their theory to be able to support information security management as it aims to “bring to light

the knowledge dimension of IS security and to determine what constitutes IS security

knowledge and where it originates from”.595 There idea to consider the organisational

environment to provide insight into new security threats is validated in the present research.

Knowledge that they describe as “codified information with a high proportion of human value

added including insight, interpretation, context, experience, wisdom and so forth”596 adds to

good information security management. The present thesis specifies the organisational

relationships of this system. The different levels of knowledge existing among organisation’s

stakeholders, thus also the organisation’s customers must be considered when collecting

information but also when implementing security measures.

Finally, in Chapter 6 two concepts were identified as being of particular interest to the

present research work because of their close relation to business strategy concepts.

The BPIRM model developed by Coles and Moulton597 uses the process and content

approach to circumscribe the ideal information security management framework and adapts

two theoretical models - Deming’s PDCA and Porter’s value chain - to current information

593 See Baskerville, R., Risk analysis: an interpretive feasibility tool in justifying information systems security, 1991, p. 123. 594 See Halliday, S., Badenhorst, K., Von Solms, R., A business approach to effective information technology risk analysis and management, 1996, pp. 25; see Von Solms, R., Von Solms, S.H., Caelli, W.J., Information Security Management: A Framework for Effective Management Involvement, 1990, pp. 217; see Von Solms, R., Von Solms, S.H., Caelli, W.J., A Model for Information Security Management, 1993, pp. 12; see Van de Haar, H., Von Solms, R., A Tool for Information Security Management, 1993, pp. 7; see Vermeulen, C., Von Solms, R., The information security management toolbox- taking the pain out of security management, 2002, p. 124; See von Solms, R., Information Security Management (1): why information security is so important, 1998, pp. 174-177; Information Security Management(2): guidelines to the management of information technology security (GMITS), 1998, pp. 221-223; Information security management (3): the Code of Practice for Information Security Management (BS 7799), 1998, pp. 224-225; Information security management: why standards are important, 1999, pp. 50-57; see Posthumus, S., Von Solms, R., A framework for the governance of information security, 2004, pp. 644. 595 See Belsis, P., Kokolakis, S., Kiountouzis, E., Information systems security from a knowledge management perspective, 2005, pp. 196. 596 See Davenport, T., Volpel, S., The rise of knowledge towards attention management, Journal of Knowledge Management 5, No. 3, pp. 212-221. 597 See Coles, R., Moulton, R., Operationalizing IT risk management, 2003, p. 491.


245

security management. The process framework is very close to Deming’s PDCA model and is

oriented towards the optimisation of the internal information risk management of an

organisation. More importantly for the present research is their content framework that is based

on Porter’s value chain and leads to good performance through good IT leadership, good

corporate governance, and increased brand reputation. The BPIRM model suggestions could be

confirmed for the IFCS in the present research. Information risk management moves in the

centre of attention due to a higher business alignment and new security functions.

Furthermore, the chain of good “process leadership of people and resources” leading to good

corporate governance, better reputation, higher brand value and better performance, was found

to be a logic also followed in the cases studies for the present research. An empirical validity of

the frameworks content model can hence be confirmed.

However, in comparison with the IFCS/EFCS theory the BPIRM framework lacks taking

the external influences into account that can and should complement the internal information

security management of an organisation. It suggests that through business process leadership of

people and resources good governance, thus brand value, can be generated. Hence the external

shaping of business strategy through customers as it is described by the IFCS/EFCS model is

not included. The IFCS/EFCS model explains the external requirements for an organisation to

make use of their reputation and enhance its IFCS. The BPIRM is further misses to take

operational risks and their potential benefits for the organisation into account.

The MPIAS framework developed by Birchall et al.598 takes this external dimension into

consideration by adding “internal/external stakeholder requirements” to their framework.

However, also Birchall et al. judge exclusively the internal alignment of information security to

lead to a competitive advantage for the organisation. It is hence a defensive measure of

streamlining that leads to cost reductions and operational benefits and not proactive measures

that add value to the organisation. Birchall et al. further organise around this alignment a

mechanism of board, strategic and operational action that is controlled through audits and the

attribution of responsibilities in the organisation and is hence more holistic than Moulton and

Coles BPIRM model. Their contribution that strategic alignment leads to an improvement of

the organisation information security management could also be confirmed in the present

research. In addition to the elements comprised in the MPIAS framework the IFCS/EFCS

theory suggests an alignment of the internal and external function of corporate security, hence

598 See Birchall, D., Ezingeard, J., McFadzean, E., Howlin, N., Yoxall, D., Information assurance: Strategic alignment and competitive advantage, 2004.


246

takes customer concerns into consideration in order to either proactively provide proof points

or adjust to the customer risk perception.

Both frameworks focus on the internal network, but mention new technology mediums

such as the internet or new technology interfaces such as the usage of portable computer

devices only as threat to the organisation’s IFCS. The IFCS/EFCS theory demonstrates under

what circumstances information security can be value adding to the organisation and what the

conditions are for information security to become a source of revenue to the organisation.

The IFCS/EFCS theory enlarges existing information security literature building on a

number of thoughts developed in information security concepts such as the responsibility

modelling developed by Backhouse and Dhillon, the Security Knowledge Management System

developed by Belsis, Kokolakis and Kiountouzis, the BPIRM model developed by Coles and

Moulton, and the MPIAS framework by Birchall et al. The IFCS/EFCS theory however

contributes to literature with its provision of a non-defensive security framework that

demonstrates information security as being an asset to an organisation and that takes the

external dimension of the information security function into account.

Conclusion Chapter 9 contains the theory and hence contribution of the dissertation to existing literature.

The empirical findings have been juxtaposed with the theoretical findings in Part I,

emphasising commonalities and differences.

The theory builds on the previous level of abstraction and summarises the thesis contribution.

The function of corporate security was found to have changed from a defensive instrument of

organisations to an instrument that can contribute to the organisation’s success through better

performance, distinctive competence and/or a competitive advantage. In order for information

security to become such a key element in an organisation’s business strategy, internal as well as

external variables must be considered. These key elements were further found to distinguish the

theory from other security frameworks demonstrating a new approach to analyse and research

information security organisation.

General Conclusion

247

General Conclusion

The purpose of this research was to understand the current function of corporate security

within large organisations. Particular interest lied in the investigation whether an

interrelationship between information security and business strategy exists and, as this could be

verified, of what nature this interrelationship is. This shift of the paradigm of information

security leads to a new understanding of such, within information security research.

In this thesis’ general conclusion, a short overview is given of the topics addressed as well as the

empirical research conducted and the final discussion of findings. In a second paragraph, the

thesis’ contributions to theory, methodology and practice will be summarised. In a third

paragraph the implication of the research approach will be discussed, thus its limitations and

the adequacy of the research framework. In a final paragraph, areas of further research will be

identified that can build on the present research work.

a) Overview of the Thesis

In the introduction of the dissertation an initial theoretical construct was presented,

providing a guideline on what constitutes in literature the function of corporate security. Its

variables have been identified theoretically in the first part of the dissertation. Environmental

factors such as time/risk or globalisation and the technical development were found to

influence the corporate security function (Chapter 1). The technological improvement has led

to a sophistication of attacks but also to increased possibilities to gain control and automate

security processes to provide confidentiality, integrity and availability. The strived holistic

approach that takes a comprehensive point of view also includes behavioural security threats

that can originate from the outside the company as well as the inside (Chapter 2). Important

developments have also taken place in the domain of information security governance.

Regulatory requirements became more confining for organisations. Varieties of information

security standards emerged and provide guidelines of best practice and benchmarking for

organisations (Chapter 3). Last but not least, risk management has to adjust to regulations, the

nature of threats and the business environment. The assessment of security risks is one of the

General Conclusion

248

central themes in information security literature and shaped the new information security term

information risk management (Chapter 4).

In Chapter 6 an overview of information security concepts, models and frameworks has

been given to analyse existing theories and research on the topic. Finally three frameworks were

found to contribute to the IFCS/EFCS theory developed in the present research: a knowledge

management-based approach that encourages the collection of external data to improve

information security knowledge, an adoption of Porter’s value chain arguing that good

corporate governance leads to a higher brand value, better reputation and hence better

performance. Thirdly, the MPIAS framework argues that strategic alignment can create a

competitive advantage as well as operational benefits. Overall the thesis was placed in the

conceptual framework of responsibility modelling, acknowledging the fact that if information

security is a part of an organisation’s business strategy, agents such as customers and investors

must be taken into account.

The research question formulated in the introduction was whether there is an

interrelationship between information security and business strategy, and if yes what is the

nature of this interrelationship. Chapter 5 therefore analyses the concept of business strategy to

provide a qualification for the empirical research in Part II. The methodology was hence

adjusted to the research question and the variables identified in Part I which suggested an in

depth analysis of multiple case studies. The methodology developed by Eisenhardt to build

theory on case study research was further used to carry out the empirical analysis of four case

studies in the banking, telecommunications and software development sector. These were

carried out in three European countries - the UK, Switzerland and Germany - with large

multinational organisations. Chapter 8 contains an in-depth analysis of these four cases studies

and additional interviews with other multinational organisations that helped shaping the

hypothesis and theory. The individual case studies are structured according to the initial

construct (Figure 1) presented in Part I. Findings are compared and summarised in the final

cross-case analysis of Chapter 8. Based on these results, Chapter 8 cedes for the first time a

differentiation of the internal and the external function of corporate security. Findings from

both the in-depth analysis as well as the cross-case analysis are discussed in conjunction with

literature and information security frameworks in Chapter 9.

Chapter 9 further contains the developed hypothesis and theory of the dissertation which is

introduced in three levels. First, the notion of an internal and external function of corporate

security is put forth extending the existing literature on how information security relates with

General Conclusion

249

its internal function to the outside. Definitions of the IFCS and the EFCS are given. In a

second step the role of customers in the framework is defined. A distinction is made between

business and retail customers as they possess different levels of expertise, technical capabilities

and security concerns. Thirdly, the CIA security principles are attributed to different functions

in the IFCS/EFCS framework.

In summary, the thesis demonstrates how the change in the function of corporate security

leads to a shift of the information security paradigm, becoming of reputation and also financial

value to an organisation.

b) Contributions

Overall the present research work shall lead to a better understanding of the information

security artefact. The thesis is to bridge an existing gap between technical construct,

behavioural-driven interpretive research and management literature. Theoretical,

methodological and practical contributions have been made and will be presented in the

following section.

i) Theoretical Contributions

The thesis’ overall theoretical contribution is that to organisation theory literature. The

organisation is in the centre of research and is analysed as an artefact to help understanding the

variables and interrelationships that influence the function of corporate security. Different

variables influence the perception and knowledge of agents - here organisations. Organisations

take responsibility according to their social role that is either determined by legal obligations or

the personal judgement of their customers.

Within the information security research domain the IFCS/EFCS theory contributes to

the responsibility modelling research stream as well as the information security management

research. A novelty is the introduction of the customer as an agent in information security

research. While the importance of reputation and trust on customer action has been a topic of

a number of articles, the influence of customers on organisation strategy and theory remained a

black hole in literature. The IFCS/EFCS model is the first theory in which a direct correlation

has been established between the external environment and the function of corporate security

General Conclusion

250

and that provides a theoretical framework for the organisation how to improve its information

security management under new environmental and competitive circumstances. The thesis

further gives detailed information about the process how and the reasoning why organisations

have established an external function of information security. The thesis is a contribution to

the theoretical artefact concerned with the interrelationships of information security

technicality and strategic management. The technical interface emerging as a new interactive

medium between organisation and customer makes trust and reputation in this interface

increasingly important. By researching the organisations’ translation of security concerns into

technology the thesis contributes to a socio-technical approach.

ii) Methodological Contributions

The present research work makes a number of methodological contributions to the

information security literature.

Its first methodological contribution lies in the empirical research and validation of

findings of the IFCS/EFCS theory. So far in information security literature very few

organisational theories exist and again only a small proportion of these can claim empirical

validation. Most information security frameworks have been developed on a theoretical basis

such as Hong et al.’s Integrated System Theory of Information Security Management599, Von

Solm’s Information Security Management Model and Information Security Governance

Framework600, or have been adapted from other management frameworks such as Porter’s

Value Chain601, Clark’s Opportunity Structure for Crime602 or Gao et al.’s Knowledge Creation

Theory603. The empirical approach in this thesis can hence be argued to contribute to the

limited empirical research in this field.

599 See Hong, K., Chi, Y., Chao, L., Tang, J., An integrated system theory of information security management, 2003, pp. 243. 600 See Von Solms, R., Von Solms, S.H., Caelli, W.J., A Model for Information Security Management, 1993, pp. 12; see Posthumus, S., Von Solms, R., A framework for the governance of information security, 2004, pp. 644. 601 See Halliday, S., Badenhorst, K., Von Solms, R., A business approach to effective information technology risk analysis and management, 1996, pp. 25, see Coles, R., Moulton, R., Operationalizing IT risk management, 2003, pp. 491. 602 See Willison, R., Backhouse, J., Re-conceptualising IS security: Insights from a criminological perspective, 2005, pp. 24. 603 See Belsis, P., Kokolakis, S., Kiountouzis, E., Information systems security from a knowledge management perspective, 2005, pp. 196.

General Conclusion

251

It further distinguishes itself in its research method. Birchall et al. use a Delphi

method604, hence expert rounds and interviews to provide empirical evidence. Gurpreet

Dhillon established his thesis on two case studies in the public sector: the Sunrise NHS Trust

and the Southam Borough Council.605 The present research is based on multiple case studies in

the commercial field, in different sectors and countries. It therefore provides detailed insight

into organisational structures and processes and gives at the same time insight into cross-

sectoral and cultural commonalities and differences. Next to twenty-three interviews, data

triangulation, thus the usage of multiple research methods, has been used aiming to achieve

quantitative validation of the research findings. The research methodology functions hence as a

bridge between qualitative interpretive research on the one hand and quantitative positivistic

research on the other hand. The methodological contribution of the present research work is

hence the advancement of the research strategy utilised so far in information security research

and specifically information security management.

iii) Practical Contributions

The present research work delivers empirical evidence on how organisations can, under

given prerequisites, use information security in favour for their business. Primarily, the

IFCS/EFCS theory provides an extension to existing organisational information risk

management structures that includes the internal alignment of information security

governance, IT security, formal and informal measures and risk assessment by adding an

external dimension to it. This external dimension helps organisations to adjust their security

priorities not only to the level of the attackers and the regulator but to what customers expect

from their service or product provider. The alignment between internal and external corporate

security contributes to adjust priorities and use information security more effectively.

The thesis further gives practical information on the boundary that determines when

customers are willing to pay for security products and services hence how organisations can

determine that information security becomes a source of revenue for them. This boundary is of

course dependent on legal requirements, but also depends on the cultural and ethical

background of the customers.

604 See Birchall, D., Ezingeard, J., McFadzean, E., Howlin, N., Yoxall, D., Information assurance: Strategic alignment and competitive advantage, 2004, p. 2. 605 Dhillon, G. S., Interpreting the Management of Information Systems Security, 1995, pp. 2.

General Conclusion

252

Practical contributions further include high level information on organisational and

business strategy, thus how organisations can use information security to improve their

performance, competitive standing or increase their revenue not only through cost reduction

but by adjusting their priorities, and consequently their spending, to the demand and to their

competitors.

In summary, the following contributions are made through the research of this thesis:

Thesis Contributions

Theoretical

- Verification of an interrelationship between information security and business strategy: bargaining power of customers, threat of new entrants, peer group pressure and internalisation of assets have been identified as the major drivers

- Emergence of a new approach in information security research by considering information security as a value-adding and not as a preserving/defensive measure: better performance and competitive advantage are the critical variables

- Development of the IFCS/EFCS theory introducing the concept of boundaries of responsibility and an external function of corporate security

- Classification of CIA principles according to their role in the organisation

- Introduction of customers and investors as agents in the responsibility modelling framework

- IFCS/EFCS theory contributes to organisation theory using a socio-technical approach

Methodological

- Contribution to empirical data in information security research

- Usage of multiple case studies based on qualitative and quantitative data to build information security management theory

Practical

- The thesis provides high level information on organisation and business strategy identifying threats and opportunities in the context of information security

- The thesis gives detailed information on regulations, organisational structures and processes in order to improve the management, performance and competitiveness of an organisation through a holistic information security management framework

Table 10: Summary Thesis' Contributions

General Conclusion

253

c) Implications of the Research Approach

Although the author believes that for the purpose of the present research work the best

choice of research approach was made, this approach led to a number of implications resulting

in research design limitations. Furthermore, the adequacy of the research approach shall be

evaluated here in the final conclusion.

i) Adequacy of the Research Framework

The author judges theory building through multiple case studies as best choice for the

research purposes of the thesis. The fact that the topic of information security strategy has

found so little attention in security literature yet, leads to a lack of existing research results and

theories to build on or extend. Empirical data in information security research is still rarely

generated and if so then not in large quantities. The information security community still

struggles between technical-positivistic and interpretive-behavioural research. The wide and

important field of information security management and information security strategy has so

far only been picked up by economic researchers attempting to quantify the ideal investment on

information security in organisations by calculating expenses against potential losses. The

present research work opens a new dimension for further research. In order to claim this

fundamental shift in research the solidity of the research methodology and results was the

priority. Paying tribute to the advantages and disadvantages of qualitative and quantitative

research discussed before, this research framework bundles the advantage of significant depth

with a sufficient width, in order to produce enough details to explain the “why” but also to

claim analytical generalisation over different industries and cultural backgrounds. The research

framework however only provides first evidence for the existence of such a paradigm shift and

what its basic components are. Further research has to provide evidence in form of statistical

generalisation building on the thesis findings and theory.

ii) Research Design Limitations

In order to gain sufficient empirical evidence to create a substantial ground for a

hypothesis and theory, only a limited number of four cases was chosen which is at the same

time the main limitation of the research design. The most fundamental decision was hence to

General Conclusion

254

conduct a qualitative instead of quantitative study. Although quantitative elements exist in the

research design through the number of interviews and additional quantitative primary sources,

a number of four case studies can only provide limited evidence. No statistical generalisation

for the theoretical construct can be claimed which makes it hence difficult to argue for the

general replication of results in other industries.606

Another limitation of the research design is that the time spent within each

organisation was confined until the researcher felt saturation of information. However, the

researcher could not gain an independent view on the long-term process leading to the change

of the function of corporate security within the organisations. The author’s observations

therefore only give a snapshot view on current evolutions and the process is reconstructed

according to information gained from interviewees. A longitudinal study could have provided

further evidence on the process angle.

Implications of Research Approach

Adequacy of Research

Framework

- The research framework complies with the need to create a sufficient depth and width to research the phenomenon in question and in order to claim analytical generalisation for the IFCS/EFCS theory.

Research Design Limitations

- No statistical generalisation can be claimed

- No longitudinal observation of the researched processes has been carried out

Table 11: Summary of Implications of Research Approach

d) Areas of Further Research

The thesis purpose was an exploratory study of the function of corporate security and the

interrelationship between information security and business strategy. The thesis provides

evidence of such an interrelationship that has developed in recent years and becomes part of

the function of corporate security especially within large organisations. Several areas of further

research develop by building on this cognition.

606 At the same time it must be considered that the IFCS/EFCS theory picks up a fairly recent phenomenon in industry. Although there is little doubt that the role of information security and of customer awareness will rise in the future, a quantitative study must consider the awareness among agents in the IFCS/EFCS framework to produce significant results.

General Conclusion

255

In first place a quantitative cross industry analysis, researching the existence of an EFCS

across sectors, would give further insights into evolutions on the market, thus in which industry

sectors are customers particularly interested in information security measures and in which

industry sectors organisations believe that they can gain a competitive advantage through

enhanced information security. This would lead to a statistical generalisation of the

IFCS/EFCS theory.

A further enhancement of the IFCS/EFCS theory would be to investigate the boundary of

responsibilities in further detail, hence the perceived duty of care between the organisations

and their business and retail customers. Especially in the field of social sciences it would be of

interest to research the personal value of security to customers and if the customer’s

understanding of technicality and security risk awareness influences this value. Moreover, it is

important to investigate how customers evaluate reputation and trust and when they see it as

their personal responsibility to secure access to their personal information.

A third area of further research is the extension of the IFCS/EFCS theory with the Security

Knowledge Management System developed by Belsis, Kokolakis and Kiountouzis. Such an

extension would provide further insight into how the knowledge previously gained on customer

concerns and priorities could be used inside the organisation to improve information security

management. This amendment of the IFCS/EFCS theory would then also contribute to

organisation theory.

Areas of Further Research

IFCS/EFCS Theory

- A quantitative cross-industry analysis of the here researched results might lead to a statistical generalisation of the IFCS/EFCS theory elements

- Research of the variables that determine the boundary of responsibility and the perceived duty of care for security between organisations and customers

- Extension of the IFCS/EFCS theory with Belsis et al. Security Knowledge Management System

Table 12: Areas of Further Research

General Conclusion

256

Epilogue Information security is of growing importance because of the increased storage of information

as data on technical devices and its transmission over technical mediums. The need for security

however seems to be growing with a lack of interpersonal contact, and technical security

measures must be inspired with trust. Despite all benchmarks, security is a matter of personal

judgement and should be treated as such. With a lack of liability and uncertainty of risks,

customers decide on the level of risk they are willing to take and create a market for

competition. Some customers are willing to contribute to their security, creating revenue

potential for producers and service providers.

Organisations must become aware of the importance of security in the transaction with their

customers and/or their peer organisations. Security has become more than a purely defensive

measure and expense to the organisation that can only contribute to the business through the

reduction of costs. Information security in banking translates into a reduction of operational

loss in return for more equity capital. In service industries it translates into better reputation, a

competitive advantage and potentially higher revenue. For corporations in general it translates

into more risk-aware and responsible investors. It is the bargaining power of customers, peer

group pressure and the threat of new entrants that influence business strategy through a change

in the function of corporate security. These variables were found to constitute the

interrelationship between information security and business strategy.

The thesis argues and provides evidence for a new understanding of information security and

provides the basis for further research in this field.

References

259

References A Adams, Anne, Sasse, Martina Angela, Privacy in Multimedia Communications: Protecting Users, Not Just Data, In: People and Computers XV - Interaction without frontiers, Blandford, A., Vanderdonkt, J., Gray, P., Springer, Lille, 2001, pp. 49-64. Allen, Linda, Boudoukh, Jacob, Saunders, Anthony, Understanding market, credit, and operational risk: the value at risk approach, Chapter five: Extending the VaR approach to operational risks, Blackwell, Malden, 2004, pp. 158-199. Althaus, K., Backhouse, James, An expert system for the modelling of legal norms, In: Knowledge-Bases Management Support Systems, Coukidis, G., Land, F., Miller G. , Ellis Horwood Books, Chichester, 1989, pp. 313-325. Andersen, T.J., Information technology, strategic decision making approaches and organizational performance in different industrial settings, The Journal of Strategic Information Systems 10, No. 2, 2001, pp. 101-119. Anderson, James M., Sockol, David, International Outsourcing: An Effective Security Enhancement, Information Security Bulletin 9, May 2004, pp. 131-138. Anderson, James M., Why we need a new definition of information security, Computers & Security 22, No. 4, 2003, pp. 308-313. Andrews, Kenneth R., The Concept of Corporate Strategy, 3rd Ed., Homewood, 1987, pp. 132. Audit Commission, Opportunity Makes a Thief: An Analysis of Computer Abuse, London, Audit Commission Publications, 1994, pp. 27. B Backhouse, James, Dhillon, Gurpreet, Structures of responsibilities and security of information systems, European Journal of Information Systems 5, No. 1, 1996, pp. 2-10. Backhouse, James, Silva, Leiser, Hsu, W.Y., Circuits of Power in Creating de Jure Standards: Shaping the International IS Security Standard, Management of Information Systems Quarterly (forthcoming special issue on Standards 2006), pp. 16. Bahli, Bouchaib, Benlimane, Younes, An exploration of wireless computing risks: Development of a risk taxonomy, Information Management & Computer Security 12, No. 3, Emerald Press, 2004, pp. 245-254.

References

260

Barnes, Didi, Portable Computing Devices: New Risks – New Remedies, Information Security Bulletin, March 2004, pp. 57-66. Bartlett, Christopher A., Ghoshal, Sumantra, Matrix management: Not a structure, a frame of mind, Harvard Business Review 68, No. 4, 1990, pp. 138-145. Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital Standards, Revised Framework (Basel II), 2004, pp. 251. Baskerville, R., Risk analysis: an interpretive feasibility tool in justifying information systems security, European Journal of Information Systems 1, No. 2, 1991, pp. 121-130. Baskerville, Richard, Designing Information Systems Security, John Wiley Information Systems Series, Chichester, 1988, pp. 247. Bauer Martin W., Gaskell, George, Qualitative researching with text, image and sound - a practical handbook, 2000, London, Sage Publications, pp. 384. Belanger, France, Hiller, Janine, S., Smith, Wanda J., Trustworthiness in electronic commerce: the role of privacy, security, and site attributes, Journal of Strategic Information Systems 11, No. 4, Elsevier, 2002, pp. 245-270. Belcher, Tim, Yoran, Elad, Riptech Internet Security Threat Report, Vol.II, Riptech Inc., July 2002, pp. 43. Belsis, Petros, Kokolakis, Spyros, Kiountouzis, Evangelos, Information systems security from a knowledge management perspective, Information Management & Computer Security 13, No. 3, Emerald Press, 2005, pp. 189-202. Benbasat, Izak, Goldstein, David K., Mead, Melissa, The Case Research Strategy in Studies of Information Systems, MIS Quarterly 11, No. 3, 1987, pp. 369-386. Bennett, Roger, Gabriel, Helen, Reputation, Trust and Supplier Commitment: the case of shipping company/seaport relations, Journal of Business & Industrial Marketing 16, No. 6, 2001, pp. 424-438. Bequai, August, Safeguards for IT managers and staff under the Sarbanes-Oxley Act, Computers & Security 22, No. 2, 2003, Elsevier, pp. 124-127. Bernstein, Peter L., Against the gods: The remarkable story of risk, John Wiley & Sons Inc, New York, 1998, pp. 383. Bharadwaj, A., A resource-based perspective on information technology capability and firm performance: an empirical investigation, MIS Quarterly 24, No. 1, 2000, pp. 169-196. Bhimani, Alnoor, Expenditures on Competitor Analysis and Information Security A Managerial Accounting Perspective, pp. 95-111, In: Management Accounting in the Digital Economy, edited by Bhimani, Alnoor, Oxford University Press, 2003, pp. 299.

References

261

Birchall, David, Ezingeard, Jean-Noel, McFadzean, Elspeth, Howlin, Neil, Yoxall, David, Information assurance: Strategic alignment and competitive advantage, Henley Management College and QinetiQ, Grist, London, 2004, pp. 73. Birman, KP, The next-generation internet: unsafe at any speed, IEEE Computer 33, No.8, 2000, pp. 54-60. Blakey, Bob, McDermott, Ellen, Geer, Dan, Information Security is Information Risk Management, ACM New Security Paradigm Workshop, Conference Paper, ACM Press, New York, 2001, pp. 97-104. Bombel, Adam, The World’s Best Internet Banks 2005, Global Finance 19, No. 8, 2005, pp. 31-33. Bouchard, Thomas J., Jr., Unobtrusive measures: An inventory of uses, Sociological Methods and Research 4, No. 3, 1976, pp. 267-300. Bourgeois, L. S. III, Toward a Method of Middle-Range Theorizing, Academy of Management Review 4, No. 3, 1979, pp. 443-447. British Standard Institute (BSI), BS 7799: A Code of Practice for Information Security Management, 1st & 2nd ed., 1993/1995, pp. 108/35. Buffa, Elwood Spencer, Modern Production Management, 4th Ed., John Wiley & Sons Ltd, New York, 1973, pp. 704. Bundesamt für Sicherheit in der Informationstechnik, IT Security Guidelines, 2000, pp. 48. Bundesrepublik Deutschland, Strafgesetzbuch, 1871, in the version of 2006. Burrell, Gibson, Morgan, Gareth, Sociological Paradigms and Organisational Analysis: Elements of the Sociology of Corporate Life, Heinemann Educational, London, 1979, pp. 432. C Carmeli, Abraham, Tishler, Asher, Perceived Organizational Reputation and Organizational Performance: An Empirical Investigation of Industrial Enterprises, Corporate Reputation Review 8, No. 1, Henry Stewart Publications, 2005, pp. 13-30. Caudill, E.M., Murphy, P.E., Consumer Online Privacy: Legal and Ethical Issues, Journal of Public Policy and Marketing 19, No. 1, 2000, pp. 7-19. Cavanagh, Thomas E., Corporate Security Management: Organization and Spending Since 9/11, The Canadian Conference Board, Survey 2003, pp. 55. CERT/ Coordination Center, Software Engineering Institute, Carnegie Mellon University, Overview Incident and Vulnerability Trends, Survey Module 1, 2003, pp. 32.

References

262

Chakravarthy, Balaji, Doz, Yves, Strategy Process Research: Focusing on Corporate Self-Renewal, Strategic Management Journal 13, Special Issue, 1992, pp. 5-14. Chan, Yolande E., Huff, Sid L., Barclay, Donald W., Copeland, Duncan G., Business Strategic Orientation, Information Systems Strategic Orientation, and Strategic Alignment, Information Systems Research 8, No. 2, 1997, pp. 125-150. Chan, Yolande, Competing Through Information Privacy, In: Competing in the Information Age: Align in the Sand, Luftman, Jerry N., 2nd Ed., Oxford University Press, 2003, pp. 350-361. Charette, R.N., Application Strategies for Risk Analysis, McGraw-Hill, 1990, pp. 210. Club Informatique des grandes enterprises francaises CIGREF, Intelligence économique et stratégique : Les systèmes d’information au cœur de la démarche, 2003, http://www.cigref.fr/cigref/livelink.exe/fetch/-9159/27381/IES-web2.pdf?nodeid=27382&vernum=0, visited on 16. 11. 2004, pp. 131. CLUSIS- Maury, Claude, Comparaison succincte entre les normes ISO/IEC 17799:2000 et ISO/IEC 17799 :2005, Lausanne, July 2005, pp. 11. Coles, Robert and Moulton, Rolf, Operationalizing IT risk management, Computers & Security 22, No. 6, 2003, Elsevier, pp. 487-493. Coles, Robert Stephen, Organizational perceptions of information and IT risk: an investigation of task and institutional influences on cognition over time, University of Leeds, PhD Thesis, 2003, pp. 293. Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management- Integrated Framework, Executive Summary, 2004, http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf, visited on 16. 8. 2005, pp. 16. Computer Security Institute/FBI, 2005 Computer Crime and Security Survey, 2005, pp. 26. Corporate Governance Task Force, Information Security Governance: A Call to Action, released April 2003, http://www.cyberpartnership.org/InfoSecGov4_04.pdf, visited on 14. 8. 2005, pp. 49. Cottings, Doug, Annual Online Banking Survey, Ipsos Insight, 2005. Creswell, John W., Qualitative Inquiry and Research Design: Choosing Among Five Traditions, SAGE Publications, London, 1998, pp. 402. Creswell, John W., Research design: Qualitative and quantitative approaches, SAGE Publications London, 1994, pp. 228. Crotty, Michael, The Foundations of Social Research: Meaning and Perspective in the Research Progress, SAGE Publications, London, 2003, pp. 248.

References

263

D Daniels, Caroline, Information Technology: The Management Challenge, Addison-Wesley Economist Intelligence Unit, 1993, pp. 199. Daniels, John L. and Daniels, N. Caroline, Global Vision: Building New Models for the Corporation of the Future, McGraw-Hill, 1993, pp. 224. Das, Sidhartha R., Zahra, ShakerA., Warkentin, Merrill E., Integrating the content and process of strategic MIS planning with competitive strategy, Decision Sciences 22, No. 5, 1991, pp. 953-984. DASC Gold Practices, Formal Risk Management, http://www.goldpractices.com/practices/frm/index.php, visited on 20. 6. 2005. De Blasis, Jean-Paul, Fondements de la sécurité des systèmes d'information, Documentation Formation Continue CSSI, Geneva, 2004, pp. 42. De Blasis, Jean-Paul, Le défi de la mise en conformité (Compliance) pour les systèmes d'information, Séminaire Sécurité d’Xpert Solutions S.A., Geneva, 2006, pp. 7. De La Fuente Sabate, Juan Manuel, De Quevedo Puente, Esther, Empirical Analysis of the Relationship Between Corporate Reputation and Financial Performance: A Survey of the Literature, Corporate Reputation Review 6, No. 2, Henry Stewart Publications, 2003, pp. 161-177. Denzin, Norman K., Lincoln,Y.S., Handbook of Qualitative Research, SAGE Publications, Thousand Oaks, 1994, pp. 643. Denzin, Norman K., The Research Act: A Theoretical Introduction to Sociological Methods, 2nd edition, McGraw-Hill, New York, 1978, pp. 370. Department of Trade and Industry, Information Security Breaches Survey, 2004, pp. 36. Department of Trade and Industry, Information Security: Hard Facts, 2004, pp. 11. Department of Trade and Industry, Information Security: Protecting Your Business Assets, 2004, pp. 30. Department of Trade and Industry, Outsourcing IT-Based services for Small and Medium Enterprises: Security Issues, 2004, pp. 5. Department of Trade and Industry/ PricewaterhouseCoopers, Information Security Breaches Survey, 2006, pp. 36. Dhillon, Gurpreet S., Interpreting the Management of Information Systems Security, London School of Economics and Political Science, Ph.D. Thesis, 1995, pp. 288.

References

264

Dhillon, Gurpreet, Backhouse, James, Current directions in IS security research: towards socio-organizational perspectives, Information Systems Journal 11, No.2, 2001, pp. 127-153. Dhillon, Gurpreet, Backhouse, James, Information System Security Management in the New Millenium, Communication of the ACM 43, No. 7, 2000, pp. 125-128. Dhillon, Gurpreet, Challenges in Managing Information Security in the New Millennium, In: Information Security Management: Global Challenges in the New Millennium, edited by Dhillon, Gurpreet, Idea Group Publication, 2001, pp. 1-9. Dhillon, Gurpreet, Principles for Managing Information Security in the New Millennium, In: Information Security Management: Global Challenges in the New Millennium, edited by Dhillon, Gurpreet, Idea Group Publication, 2001, pp. 173-177. Dowling, Graham, Corporate Reputation: Should you compete on yours?, California Management Review 46, No. 3, 2004, pp. 19-37. Dowling, Graham, Reputation risk: it is the board’s ultimate responsibility, Journal of Business Strategy 27, No. 2, Emerald Publishing, 2006, pp. 59-68. E Earl, Michael, Knowledge management strategies: toward a taxonomy, Journal of Management Information Systems 18, No. 1, 2001, pp. 215-233. Eisenhardt, Kathleen M., Building Theories from Case Study Research, Academy of Management Review 14, No. 4, 1989, pp. 532-550. Eloff, Jan H. P., Eloff, Mariki, Information Security Management: A New Paradigm, Proceedings of the 2003 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology SAICSIT '03, Conference Paper, 2003, pp. 130-136. Ensor, Benjamin, Forrester Phishing Report: What UK Net Users Think About Phishing, Forrester Research Publications, Cambridge M.A., 2005, pp. 14. Ernst & Young, Global Information Security Survey 2002, Presentation Services, 2002, pp. 20. Ernst & Young, Global Information Security Survey 2004, Presentation Services, 2004, pp. 28. European Parliament and Council, Directive on privacy and electronic communications, 2002/58/EC, Official Journal of the European Communities, 2002, pp. 11.

References

265

F Fahey, Liam, Christensen, H.Kurt, Evaluating the research of strategy content, Journal of Management 12, No. 2, 1986, pp. 167-183. Fama, E.F., Fisher, L., Jesen, M., Roll, R., The adjustment of stock prices to new information, International Economic Review 10, No.1, 1969, pp. 1-21. Fawzi, Riad, Evaluating Organisational Privacy Policy Implementation, London School of Economics and Political Science, Ph.D. Thesis, 2004, pp. 284. Feeny, D., Ives, B., In search of sustainability: reaping long-term advantage from investment in information technology, Journal of Management Information Systems 7, No. 1, 1990, pp. 27-46. Fombrun, Charles J., Reputation: Realizing Value from the Corporate Image, Harvard Business School Press, Boston, 1996, pp. 441. Fombrun, Charles J., Foss, Christopher, Business Ethics: Corporate Responses to Scandal, Corporate Reputation Review 7, No. 3, Henry Stewart Publications, 2004, pp. 284-288. Fombrun, Charles J., Shanley, Mark, What’s in a Name? Reputation Building and Corporate Strategy, Academy of Management Journal 33, No. 2, 1990, pp. 233-258. Freeman, R. Edward, Strategic Management: A Stakeholder Approach, Pitman Publishers, 1984, pp. 276. G Galbreath, Jeremy, An overview of the role of information technology in strategic management: Part 1, International Journal of Information Technology Management 2, No. 4, Inderscience Enterprises, 2003, pp. 291-311. Galliers, Robert, Choosing Information Systems Research Approaches, In: Information systems research: issues, methods and practical guidelines, Robert Galliers, Blackwell Scientific, London, 1992, pp. 144-162. Garg, Ashish, Curtis, Jeffrey, Halper, Hilary, Quantifying the financial impact of IT security breaches, Information Management & Computer Security 11, No. 2, MCB Press, 2003, pp. 74-83. Gates, Bill, Speech at the RSA Conference 2005: Security: Raising the Bar, San Francisco, California, February 15, 2005, http://www.microsoft.com/billgates/speeches/2005/02-15RSA05.asp, visited on 12. 2. 2006. Ghoshal, Sumantra, Bartlett, Christopher A., Moran, Peter, A new manifesto for management, Sloan Management Review 40, No. 3, Spring 1999, pp. 9-20.

References

266

Glaser, Barney, G., Strauss, Anselm L., The discovery of grounded theory: strategies for qualitative research, Weidenfeld and Nicolson, London, 1968, pp. 271. Gordon, Lawrence A., Loeb, Martin P., Managing Cybersecurity Resources: a cost-benefit analysis, McGraw-Hill, New York, 2005, pp. 223. Gordon, Lawrence A., Loeb, Martin P., The Economics of Information Security Investment, ACM Transactions on Information and System Security 5, No. 4, 2002, pp. 438-457. Gosschalk, Brian, Hyde, Allan, The contribution of research to corporate governance post-Enron, International Journal of Market Research 47, No. 1, 2005, pp. 29-44. Goulding, Christina, Grounded Theory: A Practical Guide for Management, business and Market Researchers, SAGE Publications, London, 2002, pp. 186. Granova, Anna, Eloff, J.H.P., A legal overview of phishing, Computer Fraud & Security, July Issue 7, 2005, pp. 6-11. Great Britain, Data Protection Act 1998, Elizabeth II, Chapter 29, Queen's Printer of Acts of Parliament, 1998. Guidentops, Erik and De Haes, Steven, CotiT 3rd Edition Usage Survey: Growing Acceptance of CobiT, Information Systems Control Journal 6, No. 1, 2002, pp. 2-4. Gupta, Anil K., Govindarajan, V., Business Unit Strategy, Managerial Characteristics, and Business Unit Effectiveness at Strategic Implementation, Academy of Management Journal 27, No. 1, 1984, pp. 25-41. H Halliday, Sharon, Badenhorst, Karin, Von Solms, Rossouw, A business approach to effective information technology risk analysis and management, Information Management & Computer Security 4, No.1, MCB Press, 1996, pp. 19-31. Harmantzis, F. Risky Business: Turbulent times focus attention on operational risk management in financial services, February 2003, OR&MS, Institute for Operations Research and the Management Sciences, http://www.lionhrtpub.com/orms/orms-2-03/frrisk.html, visited on 26. 8. 2005. Hawker, Andrew, Security and Control in Information Systems, Routledge, London, 2000, pp. 400.

Hedlund, Gunnar, A model of knowledge management and the N-form corporation, Strategic Management Journal 15, Special Issue, 1994, pp. 73-90. Heemstra, Fred J. and Kusters, Rob J., Dealing with risk: a practical approach, Journal of Information Technology 11, 1996, pp. 333-346.

References

267

Henderson, J.C, Venkatraman, N., Understanding strategic alignment, Business Quarterly 55, No.3, 1991, pp. 72-79. Herremans, Irene M., Akathaporn, Parporn, McInnes, Morris, An Investigation of corporate social responsibility reputation and economic performance, Accounting Organizations and Society 18, No. 7/8, Pergamon Press, 1993, pp. 587-604. Higgins, Huong Ngo, Corporate system security: towards an integrated management approach, Information Management & Computer Security 7, No.5, MCB Press, 1999, pp. 217-222. Hinde, Stephen, The Weakest Link, Computers & Security 20, No. 4, Elsevier, 2001, pp. 295-301. Hirschheim, R. A., Information Systems Epistemology: An Historical Perspective, In: Information systems research: issues, methods and practical guidelines, Robert Galliers, Blackwell Scientific, London, 1992, pp. 28-60. Hitt, Michael A., Ireland, R. Duane, Hoskisson, Robert E., Strategic Management: Competitiveness and Globalization Concepts, 3rd edition, South-Western College Pub, Cincinnati, 1999, pp. 502. Homans, G.C., Contemporary theory in sociology, In: Handbook of Modern Sociology, R. E. L. Faris, Rand McNally, Chicago, 1964, pp. 951-977. Höne, Karin, Eloff, J.H.P., Information security policy- what do international information security standards say?, Computers & Security 21, No. 5, Elsevier, 2002, pp. 402-409. Hong, Kwo-Shing, Chi, Yen-Ping, Chao, Louis, R., Tang, Jih-Hsing, An integrated system theory of information security management, Information Management & Computer Security 11, No.5, MCB Press, 2003, pp. 243-248. I Information Assurance Advisory Council, Corporate Governance & Information Assurance: What Every Director Must Know, Working Paper, 2002, pp. 20. Information Systems Security Association, May 2004, http://www.issa.org/gaisp/_pdfs/v30.pdf, visited on 18. 11. 2005, pp. 60. Information Systems Security Association, November 2003, http://www.issa.org/gaisp/_pdfs/overview.pdf, visited on 18. 11. 2005, pp. 21. Institute of Directors in South Africa, King II Report, Conference Sandton Convention Centre, Conference Paper, 2002, pp. 48. International Organization for Standardization, ISO/IEC 17799:2000, Information technology — Code of practice for information security management, 2000, pp. 84.

References

268

International Organization for Standardization, ISO/IEC TR 13335, Part 1-5, in AFNOR, La Sécurité Informatique: Manager et Assurer, Paris, 2002, pp. 379. International Organization of Standardization, Plan-Do-Check-Act Model, http://iso-17799.safemode.org/index.php?page=BS7799-2, visited on 28. 8. 2005. International Security Forum, Standard of Good Practice for Information Security, Version 4.1, 2005, pp. 278. IT Governance Institute and Information Systems Audit and Control Foundation, CobiT, 3rd edition, 2000: Management Guidelines, Executive Summary, Framework, Audit Guidelines, Control Objectives, Implementation Tool Set. IT Governance Institute, CobiT Mapping, 2004, http://isaca.org-COBIT_Mapping_Paper_6jan04.pdf, visited on 15. 8. 2005, pp. 63. IT Governance Institute, IT Control Objectives for Sarbanes Oxley, http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/IT_Control_Objectives_for_Sarbanes-Oxley_7july04.pdf, visited on 27. 5. 2005, pp. 92. J James, H., Coldwell, R.A., Corporate Security: An Australian Ostrich, Information Management & Computer Security 1, No. 4, MCB Press, 1993, pp. 10-12. Janczewski, Lech, Xinli Shi, Frank, Development of Information Security Baselines for Healthcare Information Systems in New Zealand, Computers & Security 21, No. 2, Elsevier, 2002, pp. 172-192. Jarillo, J. Carlos, Strategic Logic, Palgrave Macmillan, Hampshire, 2003, pp. 233. Jensen, M.C., Meckling, W.H., The Nature of Man, Journal of Applied Finance 7, No. 2, 1994, pp. 4-19. Jick, Todd D., Mixing qualitative and quantitative methods: Triangulation in action, Administrative Science Quarterly 24, No. 4, 1979, pp. 602-611. Joint Information Systems Committee (JISC), Developing a Security Policy, 2001, http://www.jisc.ac.uk/index.cfm?name=jcas_papers_security, consulted on August 16, 2005, pp. 5. Jordan, Ernie, Silcock, Luke, Beating IT Risk, John Wiley & Sons Ltd, New York, 2004, pp. 278.

References

269

K Kahle, Egbert, Merkel, Wilma, Fall- und Schadensanalyse bezüglich Know-how/ Informationsverlusten in Baden- Württemberg ab 1995, Sicherheitsforum Baden- Württemberg, Universität Lüneburg, 2004, pp. 95. Kaplan, Robert S., Norton, David P., Using the Balanced Scorecard as a Strategic Management System, Harvard Business Review 74, No.1, pp. 75-85. Katos, Vasilios, Adams, Carl, Modelling corporate wireless security and privacy, Journal of Strategic Information Systems 14, No. 3, 2005, pp. 307-321. Kay, John, Foundations of Corporate Success: How business strategies add value, Oxford University Press, Oxford, 1993, pp. 416. Kettunen, Pertti, Problems of the value added statement, University of Jyväakyla, Department of Economics and Management, No. 3, Working Paper, 1979, pp. 28. Knorr-Cetina, K., Bruegger, U., Global Microstructures: The Virtual Societies of Financial Markets, American Journal of Sociology 107, No. 4, 2002, pp. 905-950. Kogut, Bruce, Normative Observations on the International Value-Added Chain and Strategic Groups, Journal of International Business Studies 15, No. 2, 1984, pp. 151-167.

Kogut, Bruce, Zander, Udo, Knowledge of the firm and the evolutionary theory of the multinational corporation, Journal of International Business Studies 24, No. 4., Palgrave Macmillan, 1993, pp. 625-645.

Konsynski, B., McFarlan, W., Information partnerships—shared data, shared scales, Harvard Business Review 68, No. 5, 1990, pp. 114-120. Koved, L., Security Challenges for Enterprise Java in an E-Business Environment, IBM Systems Journal 40, No. 1, pp. 130-152. KPMG, 2002 Global Information Security Survey, 2002, http://www.kpmg.com/microsite/informationsecurity/isssurvey.html, visited on 25. 11. 2005. Kwok, Lam-for, Longley, Dennis, Information security management and modelling, Information Management & Computer Security 7, No. 1, MCB Press, 1999, pp. 30-39. L Landwehr, C.E., Computer Security, International Journal of Information Security 1, No. 1, 2001, pp. 3-13. Lari, Alireza, The transformational effects of technology on operations management, International Journal of Information Technology and Management 1, No. 2, 2002, pp. 256-272.

References

270

Laurence, Andrew, So What Really Changed After Enron?, Corporate Reputation Review 7, No. 1, Henry Stewart Publications, 2004, pp. 55-63. Leavitt, H.J., Whisler, T.L., Management in the 1980, Harvard Business Review 36, No. 6, 1958, pp. 41-48. Lee, Allen S., A Scientific Basis for Rigor and Relevance in Information- Systems Research, submission in process, presented at the London School of Economics and Political Science 20. 6. 2006, pp. 26. Lee, Matthew K.O., Turban, Efraim, A Trust Model for Consumer Internet Shopping, International Journal of Electronic Commerce 6, No. 1, Sharpe, 2001, pp. 75-91. Lester, T., The Reinvention of Privacy, The Atlantic Monthly, March 2001, pp. 27-29. Levin, H.A., Askin, F., Privacy in the Courts: Law and Social Reality, Journal of Social Issues 33, No. 3, pp. 138-153. Liebenau, Jonathan, Kärrberg, Patrik, International Perspectives on Information Security Practices: Opinions, Preferences and Tools in the Financial Services Industry, London School of Economics and Political Sciences, 2006, pp. 51. Lindup, Kenneth, Lindup, Heather, The Legal Duty of Care-A Justification for Information Security, Information Security Bulletin 8, No. 1, 2003, pp. 21-25. Liu, Chang, Marchewka, Jack T., Lu, June, Chun-Sheng, Yu, Beyond concern--- a privacy-trust-behavioral intention model of electronic commerce, Information & Management 42, No. 1, 2005, pp. 289-304. Lohmeyer, Daniel F., McCrory, Jim, Pogreb, Sofya, Managing Information Security, McKinsey Quarterly, Special Edition: Technology Issue 4, 2002, pp. 12-15. Lorsch, Jay W., Berlowitz, Leslie, Zelleke, Andy, Restoring Trust in American Business, MIT Press, Cambridge, 2005, pp. 185. Loveridge, Ray, Institutional Approaches To Business Strategy, In: The Oxford Handbook of Strategy: A Strategy Overview and Competitive Strategy, Volume 1, Oxford University Press, New York, 2003, pp. 98-131. Lowson, Robert H., Strategic operations management: the new competitive advantage, Routledge, London, 2002, pp. 325. M Marshall, C., Measuring and Managing Operational Risk in Financial Institutions: Tools, Techniques and Other Resources. Wiley Frontiers in Finance, John Wiley & Sons, Inc., 2001, pp. 594.

References

271

May, Thornton, Strategic Ignorance: the new competitive high ground, Information Management & Computer Security 6, No. 3, MCB Press, 1998, p. 127. McFarlan, F. Warren, Information Technology changes the way you compete, Harvard Business Review 62, No. 3, 1984, pp. 98-103. McGuire, Jean B., Schneeweis, Thomas, Branch, Ben, Perceptions of Firm Quality: A case or result of firm performance, Journal of Management 16, No. 1, 1990, pp. 167-180. Merton, Richard K., Social theory and social structure, enlarged ed., Free Press, New York, 1968, pp. 702. META Group, Security Adoption and Deployment Strategies, www.metagroup.com/cgi-bin/inetcgi.jsp visited on 28.1.2006. Meyer, Alan D., What is Strategy’s Distinctive Competence?, Journal of Management 17, No. 4, 1991, pp. 821-833. Mintzberg, Henry, Somon, Robert, Basu, Kunal, Beyond Selfishness, 2002, MIT Sloan Management Review 44, No. 1, 2002, pp. 67-74. Mintzberg, Henry, The Strategy Concept I: Five Ps For Strategy, California Management Review 30, No. 1, 1987, pp. 11-24. Mitnick, Kevin D., Are You the Weak Link?, Harvard Business Review 81, No. 4, 2003, pp. 18-20. Miyazaki, A.D., Fernandez, A., Consumer perceptions of privacy and security risks for online shopping, The Journal of Consumer Affairs 35, No. 1, pp. 27-44. Miyazaki, A.D., Fernandez, A., Internet privacy and security: an examination of online retailer disclosures, Journal of Public Policy and Marketing 19, No. 1, 2000, pp. 54-61. Mosakowski, Elaine, Earley, P. Christopher, A Selective Review of Time Assumptions in Strategy Research, Academy of Management Review 25, No. 4, 2000, pp. 796-812. Moulton, Rolf and Coles, Robert S., Applying information security governance, Computers & Security 22, No.7, Elsevier, 2003, pp. 580-584. N National Institute of Standards and Technology, Computer Security Incident Handling Guide, U.S. Department of Commerce, NIST Special Publication 800-61, 2004, pp. 148. National Institute of Standards and Technology, Generally Accepted Principles and Practices for Securing Information Technology Systems, U.S. Department of Commerce, NIST Special Publication 800-14, 1996, p. 22.

References

272

National Research Council, Dr. David Clark (MIT), Computers at Risk, National Academy Press, 1991, pp. 303. Newton, J., Strategies for problem prevention, IBM Systems Journal 24, No. 3/4, 1985, pp. 248-263. O O’Brian, Dale G., Yasnoff, William A., Privacy, Confidentiality, and Security in Information Systems of State Health Agencies, American Journal of Preventive Medicine 16, No. 4, 1999, pp. 351-358. Office of Government Commerce, About ITIL, http://www.ogc.gov.uk/index.asp?id=1000367, visited on 16. 8. 2005. Oltsik, Jon, IT governance: is it the answer?, Tech Republic, CNET Networks, released January 22, 2003, http://www.zdnet.com.au/insight/0,39023731,20271444,00.htm, visited on 25. 5. 2005. Organisation for Economic Co-operation and Development, OECD Guidelines for the Security of Information Systems, OECD Publications, 1996, pp. 50. Organisation for Economic Co-operation and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, http://www.oecd.org/dataoecd/16/22/15582260.pdf, visited on 2. 6. 2005, pp. 30. Orlikowski, Wanda J., Iacono, C. Suzanna, Research Commentary: Desperately Seeking the „IT” in IT Research- A Call to Theorizing the IT Artifact, Information Systems Research 12, No. 2, 2001, pp. 121-134. Orlitzky, M., Schmidt, F. Rynes, S., Corporate Social Responsibility and Financial Performance: a meta-analysis, Organization Studies 24, No. 3, 2003, pp. 403-441. Osborne, K., Auditing the IT Security Function, Computers & Security 17, No. 1, Elsevier, 1998, pp. 34-41. P Patton, Michael Quinn, Qualitative Evaluation and Research Methods, SAGE Publications, Newbury Park, 1990, pp. 432. Peters, Thomas J., Waterman, Robert H., In search of excellence: lessons from America’s best-run companies, Warner Books, New York, 1983, pp. 360. Podolny, Joel M., A Status-Based Model of Market Competition, American Journal of Sociology 98, No. 4, 1993, pp. 829-872.

References

273

Pollard, C., Telecom fraud: The cost of doing nothing just went up, Computers & Security 24, No. 7, Elsevier, 2005, pp. 437-439. Porter, Michael E. and Millar, V.E., How information gives you competitive advantage, Harvard Business Review, Nolan, Norton & Co, July-August 1985, pp. 149-160. Porter, Michael E., How competitive forces shape strategy, Harvard Business Review, Nolan, Norton & Co, March-April 1979, pp. 137-145. Porter, Michael E., The Competitive Advantage of Nations, Harvard Business Review, Nolan, Norton & Co, March-April 1990, pp. 73-93. Porter, Michael E., Competitive advantage: creating and sustaining superior performance, Revised 6th Edition, Free Press, 1998, pp. 557. Porter, Michael E., What is Strategy?, In: On Competition, Harvard Business School Publishing, Boston, 1998, pp. 39-73. Posthumus, Shaun, Von Solms, Rossouw, A framework for the governance of information security, Computers & Security 23, Elsevier, 2004, pp. 638-646. Poullet, Yves – Julia, Barcelo, Rosa, Health Telematics Networks: Reflections on Legislative and Contractual Models Providing Security Solutions, Electronic Communication Law Review 4, No. 3, Turpin Distribution Ltd, 1997, pp. 177. Power, R., 2002 CSI/FBI Computer Crime and Security Survey, Computer Security Issues & Trends 8, No. 1, 2002, p. 1-22. Prairie, Patti, Benchmarking IT Strategic Alignment, In: Competing in the Information Age: Strategic Alignment in Practice, Jerry N. Luftman, Oxford University Press, New York, 1996, pp. 242-290. PricewaterhouseCoopers, Martin Luther University, Global Economic Crime Survey 2005, http://bussmann2.jura.uni-halle.de/econcrime/PwC2005_globalcrimesurvey.pdf, consulted on November 30, 2005, pp. 36. Probst, Gilbert J. B., Leibold, Marius, Gibbert, Michael, Strategic Management in the Knowledge Economy, Wiley, 2002, pp. 354. Probst, Gilbert J. B., Gibbert, Michael, Leibold, Marius, Five Styles of Customer Knowledge Management, and How Smart Companies Use Them To Create Value, European Management Journal 20, No. 5, 2002, pp. 459-469. Purser, Steve, Balancing Threats and Opportunities, Information Security Bulletin 9, No.2, 2004, pp. 125-130.

References

274

Q Quinn, James Brian. Strategies for Change, In: The Strategy Process, Mintzberg, Henry, Quinn, James Brian, Ghoshal, Sumantra, Revised 2nd European Edition, Prentice Hall Europe, 1998, pp. 10-16. R Ragin, C. C., The Comparative Method: Moving beyond Qualitative and Quantitative Strategies, University of California Press, Berkley, 1987, pp. 185. Roberts, Peter W., Dowling, Graham R., Corporate reputation and sustained superior financial performance, Strategic Management Journal 23, No. 12, pp. 1077-1093. Rockart, John F., The Changing Role of the Information Systems Executive: A Critical Success Factors Perspective, Sloan Management Review, Fall 1982, pp. 3-13. Rodgers, John A., Yen, David C., Chou, David C., Developing e-business: a strategic approach, Information Management & Computer Security 10, No. 4, MCB Press, 2002, pp. 184-192. Rüegg-Stürm, Johannes, The New St. Gallen Management Model: Basic Categories of an Approach to Integrated Management, Palgrave Macmillan, Hampshire, 2005, pp. 88. Rumelt, Richard R., Evaluating Business Strategy, In: The Strategy Process: Concepts, Contexts Cases, Mintzberg, Henry, Lampel, Joseph, Quinn, James Brian, Ghoshal, Sumantra, Global Fourth Edition, Prentice Hall, 2003, pp. 80-88. Rumelt, Richard R., Toward a strategic theory of the firm, In: Competitive strategic management, Lamb, B., Prentice Hall, New Jersey, 1984, pp. 556-570. S Sambamurthy, V., Zmud, Robert, Arrangements for Information Technology Governance: A Theory of Multiple Contingencies, MIS Quarterly 23, June 1999, pp. 261-290. Schmundt, Hilmar, Verseuchter Seuchenschutz, Spiegel online, released December 5, 2005, http://www.spiegel.de/spiegel/0,1518,388324,00.html, visited 5. 12. 2005. Schultz, Eugene, Sarbanes-Oxley - a huge boon to information security in the US, Computers & Security 23, No.5, Elsevier, 2004, pp. 353-354. Schwarz, A., Hirschheim, R., An extended platform logic perspective of IT governance: managing perceptions and activities of IT, Journal of Strategic Information Systems 12, May 2003, pp. 129-166.

References

275

Scientific and Technological Options Assessment, Development of Surveillance Technology and Risk of Abuse of Economic Information, Vol. 1-5/5, European Parliament Press, Luxembourg, 1999. Scientific and Technological Options Assessment, Securing Process Control Systems - IT Security; Briefing Note, 2004, Internal Document, European Parliament, pp. 4. Scott, Susan V., Barrett, Michael I., The Development of Electronic Trading in the Futures Industry: Strategic Risk Positioning in a Globalising Age, London School of Economics and Political Science, Working Paper Series, 113, 2002, pp. 24. Selznick, Philip, Leadership in Administration: A Sociological Interpretation, Harper and Row, New York, 1957, pp. 162. Shain, Michael, An Overview of Security: Information At Risk/The Nature of Security-Confidentiality, Integrity and Availability, In: Information security handbook, Caelli, William, Longley, Dennis, Shain, Michael, Basingstoke, Macmillan, 1991, pp. 1-9. Sheriff, Mohamed Abdul, The Value of Information in Organisations: A Study of Information Use Situations as Contexts of Value, London School of Economics and Political Science, Ph.D. Thesis, 2000, pp. 243. Siponen, Mikko T., A conceptual foundation for organizational information security awareness, Information Management & Computer Security 8, No. 1, MCB Press, 2000, pp. 31-41. Siponen, Mikko T., An Analysis of the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications, In: Information Security Management: Global Challenges in the New Millennium, edited by Dhillon, Gurpreet, Idea Group Publication, 2001, pp. 101-123. Siponen, Mikko T., Designing Secure Information Systems and Software, University of Oulu, Ph.D. Thesis, 2002, pp. 78. Siponen, Mikko T., Analysis of Modern IS Security Development Approaches: towards the next generation of social and adaptable ISS methods, Information and Organisation 15, No. 4, 2005, pp. 339-375. Smith, H.S., Milberg, S.J., Burke, S.J., Information Privacy: Measuring individuals’ concerns about organizational practices, MIS Quarterly 20, No. 2, 1996, pp. 167-196. Smith, Herman W., Strategies of Social Research: the Methodological Imagination, Prentice-Hall, Englewood Cliffs, 1975, pp. 423. Sommer, Peter, Identity Management and Digital Evidence, Information Assurance Advisory Council, 6th Symposium Report, Conference Paper, October 2005, pp. 10. Sousa De Vasconcellos E Sa, Jorge Alberto, Hambrick, Donald C., Key Success Factors: Test of a General Theory in the Mature Industrial-Product Sector, Strategic Management Journal 10, No.10, 1989, pp. 367-382.

References

276

Steward, Kathy A., Segars, Albert H., An Empirical Examination of the Concern for Information Privacy Instrument, Information Systems Research 13, No. 1, 2002, pp. 37-49. Stratopoulos, T., Dehning, B., Does successful investment in information technology solve the productivity paradox?, Information and Management 38, No. 2, 2000, pp. 103-117. Straub, Detmar W., Welke, Richard J., Coping With Systems Risk: Security Planning Models for Management Decision Making, MIS Quarterly 22, No. 4, 1998, pp. 441-464. Strauss, Anselm, Corbin, Juliet, Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory, SAGE Publications, London, 1990, pp. 312. Summer, Charles E., Bettis, Richard A., Duhaime, Irene H., Grant, John H., Hambrick, Donald C., Snow, Charles C., Zeithaml Carl P., Doctoral Education in the Field of Business Policy and Strategy, Journal of Management 16, No. 2, 1990, pp. 361-398. Swindle, Orson, Conner, Bill, The Link Between Information Security and Corporate Governance, released May 05, 2004, Computerworld, http://www.computerworld.com/securitytopics/security/story/0,10801,92915,00.html, visited on 14. 11. 2005. Swiss Federal Department of Justice and Police, Swiss Criminal Code, 1937, in the version of 2006. Swiss Federal Government, Swiss Federal Banking Act, 1934, in the version of 2006. Swiss Federal Banking Corporation, Technical aspects of the new capital adequacy reporting form in the context of Basel II: Draft of the circular on operational risks, 2006, pp. 21. T Tarasewich, P., Nickerson, R., Warkentin, M., Issues in mobile e-commerce, Communications of the Association for Information Systems 8, 2002, pp. 41-64. Thomson, Kerry-Lynn, Von Solms, Rossouw, Information security obedience: a definition, Computers & Security 24, No.1, Elsevier, 2005, pp. 69-75. Totty, Michael, Protecting security systems from insiders, The Wall Street Journal Europe 19, No. 10, Brussels, February 13, 2006, p. 16. Tryfonas, T., Kountouzis, E. and Poulymenakou, A., Embedding practices at contemporary information systems development approaches, Information Management & Computer Security 9, No,4, MCB Press, 2001, pp. 183-197. Tsoukas, Haridimos, The Validity of Idiographic Research Explanations, Academy of Management Review 14, No. 4, 1989, pp. 551-561.

References

277

Tsoumas, Vassilis, Tryfonas, Theodore, From risk analysis to effective security management: towards an automated approach, Information Management & Computer Security 12, No.1, MCB Press, 2004, pp. 91-101. Tsurumi, Y., Tsurumi, H., Value-added maximizing behaviour of Japanese firms and roles of corporate investment, Colubia Journal of World Business 20, No. 1, 1985, pp. 29-35. U Ulrich, H., Management- A Misunderstood Societal Function, In: Self-Organization and Management of Social Systems, edited by Ulrich, H., Probst, Gilbert J.B., Springer-Verlag, 1984, pp. 80-94. US Commerce, Economics and Statistics Administration, Digital Economy 2003, 2003 Survey, https://www.esa.doc.gov/2003.cfm, visited on 13. 6. 2005, pp. 140. V Van de Haar, H., Von Solms, R., A Tool for Information Security Management, Information Management & Computer Security 1, No. 1, MCB Press, 1993, pp. 4-10. Venkatraman, N., Camillus, J.C., Exploring the Concept of ‘Fit’ in Strategic Management, Academy of Management Review 9, No. 3, pp. 513-525. Vergin, Roger C., Qoronfleh, M.W., Corporate Reputation and the Stock Market, Business Horizons 41, No. 1, 1998, pp. 19-26. Vermeulen, Clive, Von Solm, Rossouw, The information security management toolbox- taking the pain out of security management, Information Management & Computer Security 10, No. 3, Emerald, 2002, pp. 119-125. Vilen, Leo, The Value-Added Chain Approach as a Method of Assessing Business Strategies, Helsingin Kauppakorkeakoulun Kuvalaitos, 1991, pp. 175. Von Solms, Basie Sebastiaan H., Information Security Governance- Compliance management vs operational management, Computers & Security 24, No. 6, Elsevier, 2005, pp. 443-447. Von Solms, Basie Sebastiaan H., Information Security governance: CobiT or ISO 17799 or both?, Computers & Security 24, No. 3, Elsevier, 2005, pp. 99-104. Von Solms, Basie Sebastiaan H., Von Solms, Rossouw, From information security to…business security?, Computers & Security 24, No. 4, Elsevier, 2005, pp. 271-273. Von Solms, Basie Sebastiaan H., Von Solms, Rossouw, The 10 deadly sins of information security management, Computers & Security 23, No. 8, Elsevier, 2004, pp. 371-376.

References

278

Von Solms, Rossouw, Information Security Management (1): why information security is so important, Computers & Security 6, No. 4, Elsevier, 1998, pp. 174-177. Von Solms, Rossouw, Information Security Management (2): guidelines to the management of information technology security (GMITS), Computers & Security 6, No. 5, Elsevier, 1998, pp. 221-223. Von Solms, Rossouw, Information security management (3): the Code of Practice for Information Security Management (BS 7799), Computers & Security 6, No. 5, Elsevier, 1998, pp. 224-225. Von Solms, Rossouw, Information security management: why standards are important, Computers & Security 7, No. 1, Elsevier, 1999, pp. 50-57. Von Solms, Rossouw, Von Solms, Sebastiaan H., Caelli, William J., Information Security Management: A Framework for Effective Management Involvement, Information Age 22, No. 4, 1990, pp. 217-222. Von Solms, Rossouw, Von Solms, Sebastiaan H., Caelli, William J., A Model for Information Security Management, Information Management & Computer Security 1, No. 3, MCB Press, 1993, pp. 12-17. W Walsham Geoff, Interpreting Information Systems in Organizations, Wiley, Chichester, 1993, pp. 3-23. Ward, Jeremy, ‘Towards a Culture of Security’ - The OECD Information Security Guidelines, Information Security Bulletin 8, February 2003, pp. 17-19. Ward, John, Information Systems and Technology Application Portfolio Management- an Assessment of Matrix-Bases Analyses, Journal of Information Technology 3, No. 3, 1988, pp. 206-215. Warren, M., Hutchinson, W., A security risk management approach for e-commerce, Information Management & Computer Security 11, No. 5, MCB Press, 2003, pp. 238-242. Weick, Karl E., Theory Construction as Discipline Imagination, The Academy of Management Review 14, No. 4, 1989, pp. 516-531. Weill, Peter, Ross, Jeanne, A Matrixed Approach to Designing IT Governance, MIT Sloan Management Review 46, No. 2, 2005, pp. 26-34. Weill, Peter, Subrmani, Mani, Broadbent, Marianne, Building IT Infrastructure for Strategic Agility, MIT Sloan Management Review 44, No. 1, 2002, pp. 57-65. Weiss, Kenneth P., Data Integrity and Security: Who’s in Charge Here Anyway, Information Management & Computer Security 1, No. 4, MCB Press, 1993, pp. 4-9.

References

279

Whitman, Michael E., In defense of the realm: understanding the threats to information security, International Journal of Information Management 24, No. 1, Elsevier, 2004, pp. 43-57. Whitman, Michael E., Townsend, Anthony M., Alberts, Robert J., Information Systems Security and the Need for Policy, In: Information Security Management: Global Challenges in the New Millennium, edited by Dhillon, Gurpreet, Idea Group Publication, 2001, pp. 9-18. Willison, Robert, Backhouse, James, Re-conceptualising IS security: Insights from a criminological perspective, London School of Economics and Political Science, Working Paper Series, 132, 2005, pp. 48. Wood, Charles Cresson, Effective Information Security Management, Elsevier Advanced Technology, Oxford, 1991, pp. 235. Wright, T., Secure Digital Archiving of High-Value Data, BT Technology Journal 19, No. 3, 2001, pp. 60-66. Wylder, John, Strategic Information Security, Auerbach Publications, London, 2004, pp. 228. Y Yin, Robert K., Case Study Research: Design and Methods, Sage Publications, 2nd /3rd ed., London, 1994/2003, pp. 171/144.